SonicOS Enhanced 3.

2 LDAP Integration with Microsoft Active Directory and Novell eDirectory Support
Document Scope

This document describes the integration of SonicOS Enhanced 3.2 with Lightweight Directory Access Protocol (LDAP) and how to configure a SonicWALL appliance to use LDAP for user authentication. This document contains the following sections:

“LDAP Overview” on page 2
– “LDAP Directory Services Supported in SonicOS Enhanced” on page 2

“New LDAP Support in SonicOS 3.2” on page 4
– “Support for LDAP Continuation References” on page 4 – “Support for the NIS and Samba SMB Schemas” on page 7 – “CHAP Support for L2TP Server Users with LDAP” on page 8 – “Schema Download from the LDAP Server” on page 9 – “Support for RFC1779 Escapes in User Group Names” on page 10

“Configuring LDAP integration in SonicOS Enhanced” on page 11
– “Before you begin” on page 11 – “Configuring the SonicWALL Appliance for LDAP” on page 12 – “Further Information on LDAP Schemas” on page 19

“RADIUS with LDAP for user groups” on page 20

SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module

1

LDAP Overview

LDAP Overview
Lightweight Directory Access Protocol (LDAP) defines a directory services structure for storing and managing information about elements in you network, such as user accounts, user groups, hosts, and servers. Several different standards exist that use LDAP to manage user account, group, and permissions. Some are proprietary systems, like Microsoft Active Directory, which you can manage using LDAP. Some are open standards Samba, which are implementations of the LDAP standards. Some are proprietary systems, like Novell eDirectory, which provide an LDAP API for managing the user repository information. In addition to RADIUS and the local user database, SonicOS Enhanced supports LDAP, Microsoft Active Directory (AD), and Novell eDirectory directory services for user authentication.

LDAP Directory Services Supported in SonicOS Enhanced
In order to integrate with the most common directory services used in company networks, SonicOS Enhanced supports integration with the following LDAP schemas:
• • • • • •

Microsoft Active Directory RFC2798 InetOrgPerson RFC2307 Network Information Service Samba SMB Novell eDirectory User-defined schemas LDAPv2 (RFC3494) LDAPv3 (RFC2251-2256, RFC3377) LDAPv3 over TLS (RFC2830) LDAPv3 with STARTTLS (RFC2830) LDAP Referrals (RFC2251)

SonicOS Enhanced provides support for directory servers running the following protocols:
• • • • •

LDAP Terms
The following terms are useful when working with LDAP and its variants:
• • • •

Schema – The schema is the set of rules or the structure that defines the types of data that can be stored in a directory, and how that data can be stored. Data is stored in the form of ‘entries’. Active Directory (AD) – The Microsoft directory service, commonly used with Windows-based networking. Microsoft Active Directory is compatible with LDAP. eDirectory – The Novell directory service, used for Novell NetWare-based networking. Novell eDirectory has an LDAP gateway that can be used for management. Entry – The data that is stored in the LDAP directory. Entries are stored in ‘attribute’/value (or name/value) pairs, where the attributes are defined by ‘object classes’. A sample entry would be ‘cn=john’ where ‘cn’ (common name) is the attribute, and ‘john’ is the value. Object class – Object classes define the type of entries that an LDAP directory may contain. A sample object class, as used by AD, would be ‘user’ or ‘group’.

SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module

2

0. dc – The ‘domain component’ attribute is commonly found at the root of a distinguished name. TLS – Transport Layer Security is the IETF standardized version of SSL (Secure Sockets Layer).dc=com’ cn – The ‘common name’ attribute is a required component of many object classes throughout LDAP. which is a globally unique name for a user or other object.In LDAP terminology. The object can have required attributes or allowed attributes.asp?url=/library/en-us/adschema/adschema/classes_all . TLS 1.2 LDAP Integration with eDirectory Feature Module 3 .A data item stored in an object in an LDAP directory. Active Directory refers to the user object as ‘user’ and the group object as ‘group’. and is commonly a required attribute. the entries in a directory are referred to as objects. It is made up of a number of components.cn=users.dc=domain.com/library/default. For the purposes of the SonicOS implementation of the LDAP client. Different implementations of LDAP can refer to these object classes in different fashions. while RFC2798 refers to the user object as ‘inetOrgPerson’ and the group object as ‘groupOfNames’. For example. for example. dn .A ‘distinguished name’. ou – The ‘organizational unit’ attribute is a required component of most LDAP schema implementations.microsoft.0 is the successor to SSL 3. usually starting with a common name (cn) component and ending with a domain specified as two or more domain components (dc). the critical objects are ‘User’ and ‘Group’ objects. ‘cn=john. Attribute .LDAP Overview Microsoft Active Directory’s Classes can be browsed at <http://msdn. • • • • • • SonicOS Enhanced 3. For example.asp> • Object . the ‘dc’ attribute is a required attribute of the ‘dcObject’ (domain component) object.

To log in.2 SonicOS Enhanced 3. Should the request require access to a part of the directory that is not hosted on that server. Support of Referrals and References is provided by OpenLDAP. Login to any secondary servers will use the same credentials (name.2 enhanced firmware. with each server hosting an entire domain.1 enhanced firmware supports LDAP Referrals but not Continuation References. LDAP Referrals and Continuation References allow the SonicWALL to access LDAP directories on multiple LDAP servers through a single LDAP server.2 adds five new features to its LDAP support: • • • • • Support for LDAP Continuation References Support for the NIS and Samba SMB Schemas CHAP Support for L2TP Server Users with LDAP Schema Download from the LDAP Server Support for RFC1779 Escapes in User Group Names Support for LDAP Continuation References Support for Continuation References is added to LDAP in SonicOS 3. Usually. The client is configured with a single primary LDAP server to which it sends its requests. LDAP Referrals and References allow the SonicWALL UTM appliance access to directories hosted on different LDAP servers without the additional complexity of configuring for all of them. Continuation References are similar to Referrals but are returned in search results to indicate that more results may be obtained by continuing the search on other given LDAP servers. the directory is split between multiple LDAP servers by domain. those credentials will be used with each of the domains (other than the primary domain) from the configured user trees in turn. Note This may require creating a matching user account on each of the LDAP servers especially for the use of the SonicWALL. the server will return a referral giving the location of a different server to try.2 New LDAP Support in SonicOS 3. SonicOS Enhanced 3. Once login is successful the domain used will be recorded for future use by the secondary server. password and location in the directory tree) as the primary LDAP server.New LDAP Support in SonicOS 3. This is most frequently used for access to directories in sub (child) domains through the LDAP server for the parent domain.2 LDAP Integration with eDirectory Feature Module 4 . then it will return a reference giving the location of a different server to try for more results. should the search encompass a part of the directory that is not hosted on that server in addition to the part that is. In the case of a search request. SonicOS 3.

Trees Containing Users. In the LDAP Configuration dialog box. 2.2 LDAP Integration with eDirectory Feature Module 5 .com/users Configuring LDAP Continuation References To configure SonicOS Enhanced 3. just one user and/or user group tree search can be configured. Continuation references returned during auto-configuration of the user and user group trees are now followed. In the Users > Settings page of the administration interface. select LDAP or LDAP + Local Users for Authentication Method and click Configure.New LDAP Support in SonicOS 3.2 Using Continuation References To simplify configuration in a small installation with sub domains. and Trees Containing User Groups fields. The tree search is set to the top of the directory tree on the parent domain (the parent domain itself).com/users server4. enter the name of your primary domain only in the Primary Domain.location2. for example: • • • • server1. it will automatically search all servers and sub domains within your primary domain. in the Directory tab. Continuation references to child domains under the parent domain are returned during user authentication and allow user authentication searches to encompass those users in sub domains of the parent domain.com/users server2.mydomain.com/users server3.location3.mydomain.2 with LDAP Continuation References: 1. Use LDAP Continuation References when you have user trees on multiple servers.mydomain. When searching for a user. This allows the parent and all sub domains to be auto-configured in a single operation. SonicOS Enhanced 3.mydomain.

com.25 users In this case.New LDAP Support in SonicOS 3.000 users location2.com/users .2 LDAP Continuation References with Large User Trees If you have a large user tree.2 LDAP Integration with eDirectory Feature Module 6 .com/users . it would be best to have separate user and group trees configured for headquarters.mydomain.mydomain. while a single “location2. it can be less efficient to use LDAP Continuation References.mydomain. SonicOS Enhanced 3.mydomain. For example.2.com” entry would suffice for the server with the smaller tree. if you have a server at your primary location with a very large user tree and one at a second location where you only have a few people: • • headquarters. In this case it is more efficient to configure the servers and user trees manually into the LDAP settings.

New LDAP Support in SonicOS 3. the following fields are pre populated: • User Objects: – Object class: sambaSAMAccount – Login name attribute: uid • User Group Objects: – Object class: sambaGroupMapping – Member attribute: memberUid is: User ID SonicOS Enhanced 3. When you select RFC2307 Network Information Service. select either RFC2307 Network Information Service or Samba SMB from the LDAP Schema list.2 supports the RFC 2307 Network Interface Service (NIS) schema and the Samba SMB schema that is derived from it. such as network hosts and Unix user accounts. to LDAP.2 LDAP Integration with eDirectory Feature Module 7 .2 Support for the NIS and Samba SMB Schemas SonicOS Enhanced 3. RFC2307 Network Information Service is a mechanism for mapping network entities related to TCP/IP and the UNIX system. the following fields are pre-populated: • User Objects: – Object class: posixAccount – Login name attribute: uid • User Group Objects: – Object class: posixGroup – Member attribute: memberUid is: User ID When you select Samba SMB. Samba Server Message Block Protocol (SMB) provides a method for client applications on a computer to read and write to files to the network and to request services from server programs in a network. Using NIS and Samba SMB In the Schema tab of the LDAP Configuration dialog box.

CHAP is more secure than regular password authentication.New LDAP Support in SonicOS 3. select the CHAP choice for Test. otherwise. the server can request the connected party to send a new challenge message.2 allows CHAP authentication directly with LDAP in cases where the LDAP server can be configured to return user passwords to the SonicWALL appliance. After the initial link is made. CHAP is defined in RFC1334. this may require the LDAP server to be configured to store passwords reversibly. 3.net/rfc1334.html>. If the values match. available at <http://rfc. the authentication is acknowledged. The requestor responds with a value obtained by using a one-way hash function. In CHAP: 1.2 LDAP Integration with eDirectory Feature Module 8 . the connection is terminated. because CHAP requires a two-way handshake for authentication.2 CHAP Support for L2TP Server Users with LDAP CHAP (Challenge-Handshake Authentication Protocol) is a secure procedure for authenticating a user. 2. Note Microsoft Active Directory does not support CHAP authentication with SonicWALL appliances. The server checks the response by comparing it to its own calculation of the expected hash value. Testing CHAP Authentication In the Test tab of the LDAP Configuration dialog box. The default values to test CHAP are: User: CHAP Password: MSCHAP SonicOS Enhanced 3. SonicOS 3. the server sends a challenge message to the connection requestor. In some cases. When configured for LDAP. At any time.

The correct schema selected in the Schema tab. this provides a useful tool for examining the schema.wri (where xxx is from the SonicWALL appliances’s serial number). you can read details of the schema from the LDAP server. and user group trees in the Directory tab. you must have configured in the LDAP Configuration dialog box: • • • The correct name or address of the LDAP server entered in the Settings tab. If you are uncertain of your organization’s LDAP schema. SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module 9 . Downloading the Schema Definition In the Schema tab of the LDAP Configuration dialog box. click the Read From Server button to download the schema.2 Schema Download from the LDAP Server In SonicOS Enhanced 3.2. You can also use the downloaded schema as a template for modifying a custom LDAP schema. user trees. You can choose to either export the information to file with a name of ldapSchema_xxx. The correct primary domain.New LDAP Support in SonicOS 3. Before you can download the schema. or you can have SonicOS use the information to automatically select the correct schema in the LDAP configuration.

New LDAP Support in SonicOS 3. and that was not previously done for user group names. Prior to 3. Certain characters require escaping when sent in LDAP requests. SonicOS Enhanced only supported RFC17709 escapes in user names. This meant that user group names containing characters such as commas would not be recognized when returned from the LDAP server to the SonicWALL.2 has added support for RFC1779 special character escapes in group names. as per RFC1779.2 LDAP Integration with eDirectory Feature Module 10 . SonicOS Enhanced 3.html.2. When SonicOS Enhanced encounters a user name or group name containing a character requiring an escape. see http://rfc. + = " < > # . You do not need to configure SonicOS Enhanced to use these escapes. RFC1779 escapes are required for names containing the following characters: .2 Support for RFC1779 Escapes in User Group Names SonicOS Enhanced 3.net/rfc1779. it automatically sends it to or reads it from the LDAP server with the correct RFC1779 escape. For more information.

From the ‘Details’ tab.asp f. Launch the ‘Domain Security Policy’ application: ‘Start>Run>dompol. Click the ‘Import certificate’ button.509 (. Browse to and select the certificate file you just exported d. installing the correct certificate on your SonicWALL appliance. For detailed information on CA setup. if Certificate Services are already installed): a. Select ‘Add/Remove Windows Components’ c. 3. Select ‘Enterprise Root CA’ when prompted. Configuring the CA on the Active Directory server (skip steps a. Launch the ‘Certification Authority’ application: Start>Run>certsrv. you should prepare your LDAP server and your SonicWALL for LDAP over TLS support. Before you begin Before beginning your LDAP configuration. Specify a path and filename to which to save the certificate. Open ‘Security Settings > Public Key Policies’ h.msc b.2 LDAP Integration with eDirectory Feature Module 11 . Select ‘Add new CA certificate’ c.msc’ g. select ‘properties’ c.microsoft. Right click on the CA you created. Importing the CA certificate onto the SonicWALL: a. e. SonicOS Enhanced 3. click the ‘View Certificate’ button d. Step through the wizard. Select ‘New > Automatic Certificate Request’ j. select the ‘Base-64 Encoded X. Installing a CA (Certificate Authority) certificate for the issuing CA on your SonicWALL appliance. Browse to ‘System > CA Certificates’ b.com/windows2000/techinfo/planning/security/casetupsteps. http://www. On the ‘General’ tab. This requires: • • Installing a server certificate and your LDAP server. Enter the requested information. see To perform these tasks in an Active Directory environment: 1. and configuring the SonicWALL appliance to use the information from the LDAP Server. Select ‘Certificate Services’ d. and select ‘Domain Controller’ from the list. through e.Configuring LDAP integration in SonicOS Enhanced Configuring LDAP integration in SonicOS Enhanced Integrating your SonicWALL appliance with an LDAP directory service requires configuring your LDAP server to accept the management. Step through the wizard. Exporting the CA certificate from the AD server: a. select ‘Copy to File’ e. 2. Right click on ‘Automatic Certificate Request Settings’ i.cer)’ format f. Navigate to Start>Settings>Control Panel>Add/Remove Programs’ b.

click Yes. 5. If you are connected to your SonicWALL appliance via HTTP rather than HTTPS. In the Authentication Method list. Click Configure. 4. 2. In the Settings tab LDAP Configuration window. open the Users > Settings page.Configuring LDAP integration in SonicOS Enhanced Configuring the SonicWALL Appliance for LDAP The Users > Settings page in the administrative interface provides the settings for managing your LDAP integration: 1. 3. you will see warning offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface you are connected to (recommended). configure: SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module 12 . select either LDAP or LDAP + Local Users. In the SonicOS administrative interface.

the CN) or the TLS exchange will fail.g. then you may select this option. including AD. employ LDAPv3. Allowable ranges are 1 to 99999 (in case you’re running your LDAP server on a VIC-20 located on the moon). be certain it can be resolved by your DNS server. If your server supports this (MSAD generally does not). It is strongly recommended that TLS be used to protected the username and password information that will be sent across the network. to be used only if the LDAP server requires a client certificate for connections. – Local certificate for TLS – Optional. SonicOS Enhanced 3. then select one as the primary server (probably the one that holds the bulk of the users) and use the above settings for that server. Most modern implementations of LDAP server. This allows the LDAP server to listen on one port (normally 389) for LDAP connections. This can be any account with LDAP read privileges (essentially any user account) – Administrative privileges are not required. if using TLS with the ‘Require valid certificate from server’ option. Note that only read access to the directory is required. and it should only be selected if required by your LDAP server. but exchanges between the SonicWALL and the LDAP server will still use TLS – only without issuance validation. The default LDAP (unencrypted) port number is TCP 389. – Server timeout – The amount of time. specify it here. Also. support TLS. Most modern implementations of LDAP. matching the name specified above to the name on the certificate. – Port Number – The default LDAP over TLS port number is TCP 636.2 LDAP Integration with eDirectory Feature Module 13 . and to switch to TLS as directed by the client. that the SonicWALL will wait for a response from the LDAP server before timing out. not their login ID (e. – Use TLS – Use Transport Layer Security (SSL) to log in to the LDAP server. – Login password – The password for the user account specified above. – Require valid certificate from server – Validates the certificate presented by the server during the TLS exchange. The login name will automatically be presented to the LDAP server in full ‘dn’ notation. including AD. John Smith rather than jsmith). If your network uses multiple LDAP/AD servers with referrals. For the SonicWALL to be able to log in to those other servers. – Protocol version – Select either LDAPv3 or LDAPv2. If you are using a custom listening port on your LDAP server. Deselecting this default option will present an alert. the name provided here must match the name to which the server certificate was issued (i. If using a name. Note that this is the user’s name. in seconds. AD does not use this option. It will then refer the SonicWALL on to the other servers for users in domains other than its own.Configuring LDAP integration in SonicOS Enhanced – Name or IP Address – Enter the FQDN or the IP address of the LDAP server against which you wish to authenticate. Deselecting this default setting will provide an alert which must be accepted to proceed. each server must have a user configured with the same credentials (user name. password and location in the directory) as per the login to primary server. – Anonymous Login – Some LDAP servers allow for the tree to be accessed anonymously. with a default of 10 seconds. Useful for LDAP server implementations that return passwords to ensure the identity of the LDAP client (AD does not return passwords). This setting is not required for AD. – Send LDAP ‘Start TLS’ Request – Some LDAP server implementations support the Start TLS directive rather than using native LDAP over TLS. This may entail creating a special user in the directory for the SonicWALL login. – Login name – Specify a user name which has rights to log in to the LDAP directory.e.

In Active Directory the static IP address is configured on the Dial-in tab of a user’s properties. This may be needed with multiple domains in particular. Samba SMB. – User group membership attribute – this attribute contains the information in the user object of which groups it belongs to. or user-defined. and therefore do not use this field. Currently it is only used for a user connecting via L2TP with the SonicWALL’s L2TP server. This is set to mail for Microsoft Active Directory and RFC2798 inetOrgPerson. where the simple login name may not be unique across domains. Novell eDirectory. RFC2798 inetOrgPerson. SonicOS Enhanced 3. In future this may also be supported for Global VPN Client. Select the Schema tab: – LDAP Schema – select Microsoft Active Directory. this specifies an attribute of a user object that sets an alternative login name for the user in name@domain format. This is memberOf in Microsoft Active Directory. The other pre-defined schemas store group membership information in the group object rather than the user object. sAMAccountName for Microsoft Active Directory inetOrgPerson for RFC2798 inetOrgPerson posixAccount for RFC2307 Network Information Service sambaSAMAccount for Samba SMB inetOrgPerson for Novell eDirectory – Qualified login name attribute – if not empty.2 LDAP Integration with eDirectory Feature Module 14 . Selecting ‘user-defined’ will allow you to specify your own values – use this only if you have a specific or proprietary LDAP schema configuration. – Object class – this defines which attribute represents the individual user account to which the next two fields apply – Login name attribute – this defines which attribute is used for login authentication. Selecting any of the predefined schemas will automatically populate the fields used by that schema with their correct values. – Framed IP address attribute – this attribute can be used to retrieve a static IP address that is assigned to a user in the directory. RFC2307 Network Information Service.Configuring LDAP integration in SonicOS Enhanced 6.

– Trees containing users – The trees where users commonly reside in the LDAP directory. For AD.g.2 LDAP Integration with eDirectory Feature Module 15 .g. Changes to this field will.dc=…”.ou=Sales. If you have created other user containers within your LDAP or AD directory. SonicOS Enhanced 3. – Primary Domain – Specify the user domain used by your LDAP implementation. These are only applicable when there is no user group membership attribute in the schema's user object. and a maximum of 32 DN values may be provided. This is set to mydomain.com.dc=myDom. – Trees containing user groups – Same as above. and up to a total of 64 DN values may be provided. All the above trees are normally given in URL format but can alternatively be specified as distinguished names (e.dc=com”). for which it is set to o=mydomain. In Active Directory the URL corresponding to the distinguished name for a tree is displayed on the Object tab in the properties of the container at the top of the tree. – User tree for login to server – The tree in which the user specified in the ‘Settings’ tab resides. you should specify them here. The SonicWALL searches the directory using them all until a match is found. One default value is provided which can be edited. so they can be entered in the simpler URL format. only with regard to user group containers. yourADdomain. “myDom. then the trees are best ordered with those on the primary server first. in AD the ‘administrator’ account’s default tree is the same as the user tree. For example. using ‘cn’ rather than ‘ou’) but the SonicWALL knows about and deals with these. optionally. the DN for the top level Users container is formatted as “cn=Users. but since they are searched in the given order it is most efficient to place the most commonly used trees first in each list. Note AD has some built-in containers that do not conform (e.g. or the list is exhausted. Ordering is not critical. e. The latter form will be necessary if the DN does not conform to the normal formatting rules as per that example.Configuring LDAP integration in SonicOS Enhanced 7. and the rest in the same order that they will be referred.com by default for all schemas except Novell eDirectory. this will be the Active Directory domain name.com/Sales/Users” could alternatively be given as the DN “ou=Users. automatically update the tree information in the rest of the page. and are not used with AD. Select the Directory tab. If referrals between multiple LDAP servers are to be used.

Note that it will quite likely locate trees that are not needed for user login and some tidying up afterwards. Select whether to append new located trees to the current configuration. – Auto-configure – This causes the SonicWALL to auto-configure the ‘Trees containing users’ and ‘Trees containing user groups’ fields by scanning through the directory/directories looking for all trees that contain user objects. or to start from scratch removing all currently configured trees first. and clicking the Auto-configure button then brings up the following dialog: 8. is worthwhile. this process can be repeated for each. replacing the ‘Domain to search’ accordingly and selecting ‘Append to existing trees’ on each subsequent run. or a directory search utility such as queryad. to determine the location of a user in the directory for the ‘User tree for login to server’ field. If using multiple LDAP/AD servers with referrals. manually removing such entries. the directory can be searched manually from the Active Directory Users and Settings control panel applet on the server.vbs in the Windows NT/2000/XP Resource Kit can be run from any PC in the domain. SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module 16 . and then click OK.Configuring LDAP integration in SonicOS Enhanced Note When working with AD. The ‘User tree for login to server’ must first be set.

The SonicWALL appliance can retrieve group memberships more efficiently in the case of Active Directory by taking advantage of its unique trait of returning a ‘memberOf’ attribute for a user. Select the LDAP Users tab. Group memberships (and privileges) can also be assigned simply with LDAP. – Allow only users listed locally – Requires that LDAP users also be present in the SonicWALL local user database for logins to be allowed. By creating user groups on the LDAP/AD server with the same name as SonicWALL built-in groups (such as ‘Guest Services’. ‘Content Filtering Bypass’.Configuring LDAP integration in SonicOS Enhanced 9. ‘Limited Administrators’) and assigning users to these groups in the directory. SonicOS Enhanced 3. – User group membership can be set locally by duplicating LDAP user names – Allows for group membership (and privileges) to be determined by the intersection of local user and LDAP user configurations.2 LDAP Integration with eDirectory Feature Module 17 . or creating user groups on the SonicWALL with the same name as existing LDAP/AD user groups. SonicWALL group memberships will be granted upon successful LDAP authentication. – Default LDAP User Group – A default group on the SonicWALL to which LDAP users will belong in addition to group memberships configured on the LDAP server.

for remote SonicWALLs running non-enhanced firmware. with remote satellite sites connected into it via low-end SonicWALL security appliances that may not support LDAP. – Allow RADIUS clients to connect via – Check the relevant checkboxes and policy rules will be added to allow incoming RADIUS requests accordingly. – Enable RADIUS to LDAP Relay – Enables this feature. ‘Access from VPN client with XAUTH’. – RADIUS shared secret – This is a shared secret common to all remote SonicWALLs. acting as a gateway between RADIUS and LDAP. the remote SonicWALL will be informed that the user is to be given the relevant privilege. In that case the central SonicWALL can operate as a RADIUS server for the remote SonicWALLs. – User groups for legacy users – These define the user groups that correspond to the legacy ‘Access to VPNs’. and relaying authentication requests from them to the LDAP server. Select the LDAP Relay tab.Configuring LDAP integration in SonicOS Enhanced 10. with this feature the central SonicWALL can return legacy user privilege information to them based on user group memberships learned via LDAP. SonicOS Enhanced 3. This avoids what can be very complex configuration of an external RADIUS server such as IAS for those SonicWALLs. When a user in one of the given user groups is authenticated. Note The ‘Bypass filters’ and ‘Limited management capabilities’ privileges are returned based on membership to user groups named ‘Content Filtering Bypass’ and ‘Limited Administrators’ – these are not configurable. Additionally. ‘Access from L2TP VPN client’ and ‘Allow Internet access (when access is restricted)’ privileges respectively. The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site with an LDAP/AD server and a central SonicWALL.2 LDAP Integration with eDirectory Feature Module 18 .

net/rfc2307.asp> RFC2798 InetOrgPerson: Schema definition and development information is available at <http://rfc. The ‘Test’ page allows for the configured LDAP settings to be tested by attempting authentication with specified user and password credentials.net/rfc2798. You can also see general information on LDAP at <http://rfc.html> User-defined schemas: See the documentation for your LDAP installation.novell.com/library/default.microsoft.net/rfc1777.asp?url=/library/en-us/ldap/ldap/ldap_reference.asp> and <http://msdn.samba. Further Information on LDAP Schemas • Microsoft Active Directory: Schema information is available at <http://msdn.html?page=/documentation/edir873/edir87 3/data/h0000007.html> Samba SMB: Development information is available at <http://us5. Select the Test tab. Any user group memberships and/or framed IP address configured on the LDAP/AD server for the user will be displayed.com/library/default.2 LDAP Integration with eDirectory Feature Module 19 .asp?url=/library/en-us/adschema/adschema/active_dire ctory_schema.html> RFC2307 Network Information Service: Schema definition and development information is available at <http://rfc.html> • • • • • SonicOS Enhanced 3.Configuring LDAP integration in SonicOS Enhanced 11.com/documentation/edir873/index.org/samba/> Novell eDirectory: LDAP integration information is available at <http://www.microsoft.

if certificate services are not installed with Active Directory). so operation without TLS could be selected. Clicking the Configure button launches the LDAP configuration window. Note that in this case LDAP is not dealing with user passwords and the information that it reads from the directory is normally unrestricted. it must be ensured that security is not compromised by the SonicWALL doing a clear-text login to the LDAP server – e. create a user account with read-only access to the directory dedicated for the SonicWALL’s use.2 LDAP Integration with eDirectory Feature Module 232-001244-00 Rev A 20 .RADIUS with LDAP for user groups RADIUS with LDAP for user groups When RADIUS is used for user authentication. However.g. ignoring the warnings. there is an option on the RADIUS Users page in the RADIUS configuration to allow LDAP to be selected as the mechanism for setting user group memberships for RADIUS users: When that is selected.g. Do not use the administrator account in this case. if TLS is not available (e. SonicOS Enhanced 3. after authenticating a user via RADIUS his/her user group membership information will be looked up via LDAP in the directory on the LDAP/AD server.

Sign up to vote on this title
UsefulNot useful