The security appliance can use the LDAP directory for user authentication, with support of three schemes including Microsoft Active Directory, RFC2798 InterOrgPerson, and RFC2307 Network Information Service.
1. Click Users > User Authentication.
2. Choose LDAP as the authentication method.
3. Click Configure to configure the LDAP settings.
4. In the Settings tab, enter the following information:
• IP Address: Enter the IP address of the LDAP server.
• Port Number: Enter the listening IP port number used on the LDAP server. Typically, non-secure connections use 389 and secure connections use 636. The default is 389.
• Server Timeout: Enter the amount of time in seconds that the security appliance will wait for a response from the LDAP server before timing out. The default value is 5 seconds.
The security appliance will retry to log in to the LDAP server if there is no response from the LDAP server after the timeout. For example, if the server timeout is set as 5 seconds and there is no response from the LDAP server after 5 seconds, the security appliance will then retry to log in to the LDAP server 5 seconds later.
• Login Method: Choose one of the following login methods:
– Anonymous Login: Choose this option if the LDAP server allows for the user tree to be accessed anonymously.
– Give Login Name or Location in Tree: Choose this option if the distinguished name that is used to bind to the LDAP server is built from the Primary Domain and User Tree for Login to Server fields in the Directory tab.
– Give Bind Distinguished Name: Choose this option if the destination name is known. You must provide the destination name explicitly to be used to bind to the LDAP server.
• Login User Name: If you choose Give Login Name or Location in Tree or Give Bind Distinguished Name as the login method, enter the user distinguished name of the account that can log into the LDAP server.
• Login Password: If you choose Give Login Name or Location in Tree or Give Bind Distinguished Name as the login method, enter the password of the account that can log into the LDAP server.
• Protocol Version: Choose the LDAP version from the drop-down list. The security appliance supports LDAP Version 2 and LDAP Version 3. Most LDAP directories, including Active Directory, use LDAP Version 3.
5. In the Schema tab, enter the following information:
• LDAP Schema: Choose one of the following schemes:
– RFC2307 Network Information Service
• User Objects: The following fields display their correct values used by the selected scheme. The fields that are grayed out cannot be edited, but you can specify the editable fields if you have a specific LDAP scheme configuration.
– Object Class: The object class of the individual user account.
– Login Name Attribute: The attribute that is used for login authentication.
– Qualified Login Name Attribute: The attribute of a user object that sets an alternative login name for the user in name@domain format.
– User Group Membership Attribute: The membership attribute that contains information about the group to which the user object belongs. This option is only available for Microsoft Active Directory.
– Framed IP Address Attribute: The attribute to retrieve a static IP address that is assigned to a user in the directory.
• User Group Objects: The following fields display their correct values used by the selected scheme.
– Object Class: The name associated with the group of attributes.
– Member Attribute: The attribute associated with a member.
6. In the Directory tab, enter the user direction information in the following fields:
• Primary Domain: Enter the user domain used by your LDAP implementation. All domain components use “dc=”. The domain is formatted as “dc=ExampleCorporation, dc=com”.
• User Tree for Login to Server: If you choose Give Login Name or Location in Tree as the login method in the Settings tab, specify the user tree that is used to log into the LDAP server.
• Trees Containing Users: Specify the user trees in the LDAP directory. To add an entry, click Add. To edit an entry, click the Edit (pencil) icon. To delete an entry, click Remove. To modify the priority of an entry in the tree, click the up arrow or the down arrow.
• Trees Containing User Groups: Specify the user trees in the LDAP directory. These are only applicable when there is no user group membership attribute in the scheme's user object, and are not used with AD. To add an entry, click Add. To edit an entry, click Edit. To delete an entry, click Remove. To modify the priority of an entry in the tree, click the up arrow or the down arrow.
NOTE: All the above trees are given in the format of distinguished names (“cn=Users, dc=ExampleCorporation, dc=com”).
7. In the LDAP Users tab, enter the following information:
• Allow Only Users Listed Locally: Click On to allow only the LDAP users who also are present in the local database to login, or click Off to disable it.
• Default LDAP User Group: Choose a local user group as the default group to which the LDAP users belong. If the group does not exist in the local database when getting user group information from the LDAP server, the LDAP user will be automatically set to the specified local user group.
8. In the Test tab, enter the user’s credentials in the User and Password fields and then click Test to verify whether the LDAP user is valid.
9. Click OK to save your settings.