1. Overview

This section provides some guidance for resolving issues with your OpenLDAP integration.

2. Console does not save your settings

If Console does not save your settings after entering your configuration parameters, it means that Console cannot establish a test connection to your slapd server. To debug the issue:

  • Verify that your slapd server is accessible to the host machine where Console runs, and that your authentication certs are valid.

  • Verify that your service account can run queries using ldapsearch.

  • Verify that your base-dn is valid.

3. Local users versus LDAP users

If you do not have a directory service, Console lets you create and manage Prisma Cloud-specific (or local) users and groups. Local users and groups refer to the users and groups created before OpenLDAP was integrated with Prisma Cloud or when OpenLDAP integration is disabled.

ldap group names are case sensitive.

If you have local users when you enable OpenLDAP integration, Console handles authentication using the following sequence:

  1. Prisma Cloud first tries to authenticate the user with the LDAP server.

  2. If Prisma Cloud fails to authenticate the user with the LDAP server, it tries to authenticate the user with the local database.

4. No users can be found in a group

Prisma Cloud searches for posixGroups and its memberUid’s. Make sure your group has the posixGroup objectClass.

  1. Query your directory for the group name:

    $ ldapsearch -x \
      -b dc=example,dc=com \
      -D "cn=<SA-CN>,dc=example,dc=com" \
      -w <SA-PASS> \
      "(cn=<group-cn>)"
  2. Inspect the output and verify that the group object has the required fields. For example, the following output comes from a query for the group ldap-admins. This group has the required posixGroup objectClass, and the the admin_user is listed as a member in the memberUid field.

    # ldap-admins, groups, example.com
    dn: cn=ldap-admins,dc=example,dc=com
    gidNumber: 500
    description: Ldap-admins
    objectClass: posixGroup
    objectClass: top
    cn: ldap-admins
    memberUid: admin_user
  3. Query the LDAP directory for the group member, and verify all fields are as expected. For example, the uid for John Smith is admin_user, which is also listed in the memberUid field for the ldap-admins group.

    # admin_user, example.com
    dn: cn=admin_user,dc=example,dc=com
    cn: admin_user
    givenName: John
    gidNumber: 500
    homeDirectory: /home/users/admin_user
    sn: Smith
    loginShell: /bin/sh
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: top
    userPassword:: e01ENX00L1VKc1VGTWx3OWprMVA5Rmg2VWpBPT0=
    uidNumber: 1000
    uid: admin_user