An LDAP server profile enables you to:
Authenticate administrators and end users of Palo Alto Networks firewalls and Panorama. Define security rules based on user or user group. The LDAP server profile instructs the firewall how to connect and authenticate to the server and how to search the directory for user and group information. You must also configure User-ID to Map Users to Groups. Then you can select users or groups when defining policy rules.
Configure an LDAP Server Profile
Add an LDAP server profile. Select Device > Server Profiles > LDAP and click Add. Enter a Profile Name to identify the server profile. For a firewall with more than one virtual system (vsys), select the Location (vsys or Shared) where the profile is available. For each LDAP server (up to four), click Add and enter a Name (to identify the server), server IP address ( LDAP Server field), and server Port (default 389). Select the server Type from the drop-down: active-directory, e-directory, sun, or other. If you want the firewall or Panorama to use SSL or TLS for a more secure connection with the directory server, select the Require SSL/TLS secured connection check box (it is selected by default). The protocol that the firewall or Panorama uses depends on the server Port: 389 (default)—TLS (Specifically, the firewall or Panorama uses the Start TLS operation, which upgrades the initial plaintext connection to TLS.) 636—SSL Any other port—The firewall or Panorama first tries to use TLS. If the directory server doesn’t support TLS, the firewall or Panorama falls back to SSL. To improve security, you can select the Verify Server Certificate for SSL sessions check box (it is cleared by default) so that the firewall or Panorama verifies the certificate that the directory server presents for SSL/TLS connections. If the verification fails, the connection fails. To enable verification, you must also select the Require SSL/TLS secured connection check box. The firewall or Panorama verifies the certificate in two respects: The certificate is trusted and valid. For the firewall or Panorama to trust the certificate, its root certificate authority (CA) and any intermediate certificates must be in the certificate store under Device > Certificate Management > Certificates > Device Certificates. Import the certificate if necessary: see Import a Certificate and Private Key. The certificate name must match the host Name of the LDAP server. The firewall or Panorama first checks the certificate attribute Subject AltName for matching, then tries the attribute Subject DN. If the certificate uses the FQDN of the directory server, you must enter that FQDN in the LDAP Server field for the name matching to succeed. Click OK.
Implement the LDAP server profile. Assign the LDAP server profile to an authentication profile or sequence. Test an LDAP Authentication Profile to verify that the firewall or Panorama can connect to the LDAP server. Assign the authentication profile or sequence to an administrator account or to a firewall service for end users. Commit your changes.

Related Documentation