LDAP Integration Feature Module
Transcript of LDAP Integration Feature Module
-
8/4/2019 LDAP Integration Feature Module
1/20
1
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
SonicOS Enhanced 3.2LDAP Integration withMicrosoft Active Directory andNovell eDirectory Support
Document Scope
This document describes the integration of SonicOS Enhanced 3.2 with Lightweight Directory Access
Protocol (LDAP) and how to configure a SonicWALL appliance to use LDAP for user authentication.
This document contains the following sections:
LDAP Overview on page 2
LDAP Directory Services Supported in SonicOS Enhanced on page 2
New LDAP Support in SonicOS 3.2 on page 4
Support for LDAP Continuation References on page 4
Support for the NIS and Samba SMB Schemas on page 7
CHAP Support for L2TP Server Users with LDAP on page 8
Schema Download from the LDAP Server on page 9
Support for RFC1779 Escapes in User Group Names on page 10
Configuring LDAP integration in SonicOS Enhanced on page 11
Before you begin on page 11
Configuring the SonicWALL Appliance for LDAP on page 12
Further Information on LDAP Schemas on page 19
RADIUS with LDAP for user groups on page 20
-
8/4/2019 LDAP Integration Feature Module
2/20
LDAP Overview
2
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
LDAP OverviewLightweight Directory Access Protocol (LDAP) defines a directory services structure for storing and
managing information about elements in you network, such as user accounts, user groups, hosts, and
servers. Several different standards exist that use LDAP to manage user account, group, and permissions.
Some are proprietary systems, like Microsoft Active Directory, which you can manage using LDAP.Some are open standards Samba, which are implementations of the LDAP standards. Some are
proprietary systems, like Novell eDirectory, which provide an LDAP API for managing the user
repository information.
In addition to RADIUS and the local user database, SonicOS Enhanced supports LDAP, Microsoft
Active Directory (AD), and Novell eDirectory directory services for user authentication.
LDAP Directory Services Supported in SonicOS Enhanced
In order to integrate with the most common directory services used in company networks, SonicOS
Enhanced supports integration with the following LDAP schemas:
Microsoft Active Directory
RFC2798 InetOrgPerson
RFC2307 Network Information Service
Samba SMB
Novell eDirectory
User-defined schemas
SonicOS Enhanced provides support for directory servers running the following protocols:
LDAPv2 (RFC3494)
LDAPv3 (RFC2251-2256, RFC3377)
LDAPv3 over TLS (RFC2830)
LDAPv3 with STARTTLS (RFC2830)
LDAP Referrals (RFC2251)
LDAP Terms
The following terms are useful when working with LDAP and its variants:
Schema The schema is the set of rules or the structure that defines the types of data that can be
stored in a directory, and how that data can be stored. Data is stored in the form of entries.
Active Directory (AD) The Microsoft directory service, commonly used with Windows-based
networking. Microsoft Active Directory is compatible with LDAP. eDirectory The Novell directory service, used for Novell NetWare-based networking. Novell
eDirectory has an LDAP gateway that can be used for management.
Entry The data that is stored in the LDAP directory. Entries are stored in attribute/value (or
name/value) pairs, where the attributes are defined by object classes. A sample entry would be
cn=john where cn (common name) is the attribute, and john is the value.
Object class Object classes define the type of entries that an LDAP directory may contain. A
sample object class, as used by AD, would be user or group.
-
8/4/2019 LDAP Integration Feature Module
3/20
LDAP Overview
3
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
Microsoft Active Directorys Classes can be browsed at
Object- In LDAP terminology, the entries in a directory are referred to as objects. For the purposes
of the SonicOS implementation of the LDAP client, the critical objects are User and Group
objects. Different implementations of LDAP can refer to these object classes in different fashions,for example, Active Directory refers to the user object as user and the group object as group,
while RFC2798 refers to the user object as inetOrgPerson and the group object as
groupOfNames.
Attribute - A data item stored in an object in an LDAP directory. The object can have required
attributes or allowed attributes. For example, the dc attribute is a required attribute of the
dcObject (domain component) object.
dn - A distinguished name, which is a globally unique name for a user or other object. It is made
up of a number of components, usually starting with a common name (cn) component and ending
with a domain specified as two or more domain components (dc). For example,
cn=john,cn=users,dc=domain,dc=com
cn The common name attribute is a required component of many object classes throughout
LDAP.
ou The organizational unit attribute is a required component of most LDAP schema
implementations.
dc The domain component attribute is commonly found at the root of a distinguished name, and
is commonly a required attribute.
TLS Transport Layer Security is the IETF standardized version of SSL (Secure Sockets Layer).
TLS 1.0 is the successor to SSL 3.0.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/classes_all.asphttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/classes_all.asphttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/classes_all.asp -
8/4/2019 LDAP Integration Feature Module
4/20
New LDAP Support in SonicOS 3.2
4
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
New LDAP Support in SonicOS 3.2SonicOS Enhanced 3.2 adds five new features to its LDAP support:
Support for LDAP Continuation References
Support for the NIS and Samba SMB Schemas CHAP Support for L2TP Server Users with LDAP
Schema Download from the LDAP Server
Support for RFC1779 Escapes in User Group Names
Support for LDAP Continuation References
Support for Continuation References is added to LDAP in SonicOS 3.2 enhanced firmware. SonicOS 3.1
enhanced firmware supports LDAP Referrals but not Continuation References.
LDAP Referrals and Continuation References allow the SonicWALL to access LDAP directories on
multiple LDAP servers through a single LDAP server. This is most frequently used for access todirectories in sub (child) domains through the LDAP server for the parent domain.
LDAP Referrals and References allow the SonicWALL UTM appliance access to directories hosted on
different LDAP servers without the additional complexity of configuring for all of them. The client is
configured with a single primary LDAP server to which it sends its requests. Should the request require
access to a part of the directory that is not hosted on that server, the server will return a referral giving
the location of a different server to try.
In the case of a search request, should the search encompass a part of the directory that is not hosted on
that server in addition to the part that is, then it will return a reference giving the location of a different
server to try for more results.
Usually, the directory is split between multiple LDAP servers by domain, with each server hosting an
entire domain.
Support of Referrals and References is provided by OpenLDAP. Login to any secondary servers will use
the same credentials (name, password and location in the directory tree) as the primary LDAP server. To
log in, those credentials will be used with each of the domains (other than the primary domain) from the
configured user trees in turn. Once login is successful the domain used will be recorded for future use
by the secondary server.
Note This may require creating a matching user account on each of the LDAP servers especially for the
use of the SonicWALL.
Continuation References are similar to Referrals but are returned in search results to indicate that more
results may be obtained by continuing the search on other given LDAP servers.
-
8/4/2019 LDAP Integration Feature Module
5/20
New LDAP Support in SonicOS 3.2
5
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
Using Continuation References
To simplify configuration in a small installation with sub domains, just one user and/or user group tree
search can be configured. The tree search is set to the top of the directory tree on the parent domain (the
parent domain itself).
Continuation references to child domains under the parent domain are returned during userauthentication and allow user authentication searches to encompass those users in sub domains of the
parent domain. Continuation references returned during auto-configuration of the user and user group
trees are now followed. This allows the parent and all sub domains to be auto-configured in a single
operation.
Use LDAP Continuation References when you have user trees on multiple servers, for example:
server1.mydomain.com/users
server2.mydomain.com/users
server3.location2.mydomain.com/users
server4.location3.mydomain.com/users
Configuring LDAP Continuation References
To configure SonicOS Enhanced 3.2 with LDAP Continuation References:
1. In the Users > Settings page of the administration interface, select LDAP orLDAP + Local Users
forAuthentication Method and clickConfigure.
2. In the LDAP Configuration dialog box, in the Directory tab, enter the name of your primary domain
only in the Primary Domain, Trees Containing Users, and Trees Containing User Groups fields.
When searching for a user, it will automatically search all servers and sub domains within your
primary domain.
-
8/4/2019 LDAP Integration Feature Module
6/20
New LDAP Support in SonicOS 3.2
6
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
LDAP Continuation References with Large User Trees
If you have a large user tree, it can be less efficient to use LDAP Continuation References. In this case
it is more efficient to configure the servers and user trees manually into the LDAP settings.
For example, if you have a server at your primary location with a very large user tree and one at a second
location where you only have a few people:
headquarters.mydomain.com/users - 2,000 users
location2.mydomain.com/users - 25 users
In this case, it would be best to have separate user and group trees configured for
headquarters.mydomain.com, while a single location2.mydomain.com entry would suffice for the
server with the smaller tree.
-
8/4/2019 LDAP Integration Feature Module
7/20
New LDAP Support in SonicOS 3.2
7
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
Support for the NIS and Samba SMB Schemas
SonicOS Enhanced 3.2 supports the RFC 2307 Network Interface Service (NIS) schema and the Samba
SMB schema that is derived from it.
RFC2307 Network Information Service is a mechanism for mapping network entities related to
TCP/IP and the UNIX system, such as network hosts and Unix user accounts, to LDAP.
Samba Server Message Block Protocol (SMB) provides a method for client applications on a computer
to read and write to files to the network and to request services from server programs in a network.
Using NIS and Samba SMB
In the Schema tab of the LDAP Configuration dialog box, select eitherRFC2307 Network
Information Service orSamba SMB from the LDAP Schema list.
When you select RFC2307 Network Information Service, the following fields are pre-populated:
User Objects:
Object class:posixAccount Login name attribute: uid
User Group Objects:
Object class:posixGroup
Member attribute: memberUidis: User ID
When you select Samba SMB, the following fields are pre populated:
User Objects:
Object class: sambaSAMAccount
Login name attribute: uid
User Group Objects: Object class: sambaGroupMapping
Member attribute: memberUidis: User ID
-
8/4/2019 LDAP Integration Feature Module
8/20
New LDAP Support in SonicOS 3.2
8
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
CHAP Support for L2TP Server Users with LDAP
CHAP (Challenge-Handshake Authentication Protocol) is a secure procedure for authenticating a user.
CHAP is more secure than regular password authentication, because CHAP requires a two-way
handshake for authentication. In CHAP:
1. After the initial link is made, the server sends a challenge message to the connection requestor. Therequestor responds with a value obtained by using a one-way hash function.
2. The server checks the response by comparing it to its own calculation of the expected hash value.
3. If the values match, the authentication is acknowledged; otherwise, the connection is terminated.
At any time, the server can request the connected party to send a new challenge message. CHAP is
defined in RFC1334, available at .
When configured for LDAP, SonicOS 3.2 allows CHAP authentication directly with LDAP in cases
where the LDAP server can be configured to return user passwords to the SonicWALL appliance. In
some cases, this may require the LDAP server to be configured to store passwords reversibly.
Note Microsoft Active Directory does not support CHAP authentication with SonicWALL appliances.
Testing CHAP Authentication
In the Test tab of the LDAP Configuration dialog box, select the CHAP choice forTest. The default
values to test CHAP are:
User: CHAP
Password: MSCHAP
http://rfc.net/rfc1334.htmlhttp://rfc.net/rfc1334.html -
8/4/2019 LDAP Integration Feature Module
9/20
New LDAP Support in SonicOS 3.2
9
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
Schema Download from the LDAP Server
In SonicOS Enhanced 3.2, you can read details of the schema from the LDAP server. You can choose to
either export the information to file with a name ofldapSchema_xxx.wri (wherexxx is from the
SonicWALL appliancess serial number), or you can have SonicOS use the information to automatically
select the correct schema in the LDAP configuration. If you are uncertain of your organizations LDAPschema, this provides a useful tool for examining the schema. You can also use the downloaded schema
as a template for modifying a custom LDAP schema.
Downloading the Schema Definition
In the Schema tab of the LDAP Configuration dialog box, click the Read From Server button to
download the schema.
Before you can download the schema, you must have configured in the LDAP Configuration dialog box:
The correct name or address of the LDAP server entered in the Settings tab.
The correct schema selected in the Schema tab.
The correct primary domain, user trees, and user group trees in the Directory tab.
-
8/4/2019 LDAP Integration Feature Module
10/20
New LDAP Support in SonicOS 3.2
10
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
Support for RFC1779 Escapes in User Group Names
SonicOS Enhanced 3.2 has added support for RFC1779 special character escapes in group names. Prior
to 3.2, SonicOS Enhanced only supported RFC17709 escapes in user names.
Certain characters require escaping when sent in LDAP requests, as per RFC1779, and that was not
previously done for user group names. This meant that user group names containing characters such ascommas would not be recognized when returned from the LDAP server to the SonicWALL.
RFC1779 escapes are required for names containing the following characters:
, + = " < > # ;
When SonicOS Enhanced encounters a user name or group name containing a character requiring an
escape, it automatically sends it to or reads it from the LDAP server with the correct RFC1779 escape.
You do not need to configure SonicOS Enhanced to use these escapes.
For more information, see http://rfc.net/rfc1779.html.
http://rfc.net/rfc1779.htmlhttp://rfc.net/rfc1779.html -
8/4/2019 LDAP Integration Feature Module
11/20
Configuring LDAP integration in SonicOS Enhanced
11
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
Configuring LDAP integration in SonicOS EnhancedIntegrating your SonicWALL appliance with an LDAP directory service requires configuring your
LDAP server to accept the management, install ing the correct certificate on your SonicWALL appliance,
and configuring the SonicWALL appliance to use the information from the LDAP Server.
Before you begin
Before beginning your LDAP configuration, you should prepare your LDAP server and your
SonicWALL for LDAP over TLS support. This requires:
Installing a server certificate and your LDAP server.
Installing a CA (Certificate Authority) certif icate for the issuing CA on your SonicWALL appliance.
To perform these tasks in an Active Directory environment:
1. Configuring the CA on the Active Directory server (skip steps a. through e. if Certificate Services
are already installed):
a. Navigate to Start>Settings>Control Panel>Add/Remove Programs
b. Select Add/Remove Windows Components
c. Select Certificate Services
d. Select Enterprise Root CA when prompted.
e. Enter the requested information. For detailed information on CA setup, see
http://www.microsoft.com/windows2000/techinfo/planning/security/casetupsteps.asp
f. Launch the Domain Security Policy application:
Start>Run>dompol.msc
g. Open Security Settings > Public Key Policies
h. Right click on Automatic Certificate Request Settings
i. Select New > Automatic Certificate Request
j. Step through the wizard, and select Domain Controller from the list.
2. Exporting the CA certificate from the AD server:
a. Launch the Certification Authority application: Start>Run>certsrv.msc
b. Right click on the CA you created, select properties
c. On the General tab, click the View Certificate button
d. From the Details tab, select Copy to File
e. Step through the wizard, select the Base-64 Encoded X.509 (.cer) format
f. Specify a path and filename to which to save the certificate.
3. Importing the CA certificate onto the SonicWALL:
a. Browse to System > CA Certificates
b. Select Add new CA certificate
c. Browse to and select the certificate file you just exported
d. Click the Import certificate button.
-
8/4/2019 LDAP Integration Feature Module
12/20
Configuring LDAP integration in SonicOS Enhanced
12
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
Configuring the SonicWALL Appliance for LDAP
The Users > Settings page in the administrative interface provides the settings for managing your LDAP
integration:
1. In the SonicOS administrative interface, open the Users > Settings page.
2. In the Authentication Method list, select eitherLDAP orLDAP + Local Users.
3. ClickConfigure.
4. If you are connected to your SonicWALL appliance via HTTP rather than HTTPS, you will see
warning offering to change your connection to HTTPS. If you have HTTPS management enabledfor the interface you are connected to (recommended), clickYes.
5. In the Settings tab LDAP Configuration window, configure:
-
8/4/2019 LDAP Integration Feature Module
13/20
Configuring LDAP integration in SonicOS Enhanced
13
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
Name or IP Address Enter the FQDN or the IP address of the LDAP server against which
you wish to authenticate. If using a name, be certain it can be resolved by your DNS server.
Also, if using TLS with the Require valid certificate from server option, the name provided
here must match the name to which the server certificate was issued (i.e. the CN) or the TLS
exchange will fail.
Port Number The default LDAP over TLS port number is TCP 636. The default LDAP(unencrypted) port number is TCP 389. If you are using a custom listening port on your LDAP
server, specify it here.
Server timeout The amount of time, in seconds, that the SonicWALL will wait for a response
from the LDAP server before timing out. Allowable ranges are 1 to 99999 (in case youre
running your LDAP server on a VIC-20 located on the moon), with a default of 10 seconds.
Anonymous Login Some LDAP servers allow for the tree to be accessed anonymously. If
your server supports this (MSAD generally does not), then you may select this option.
Login name Specify a user name which has rights to log in to the LDAP directory. The login
name will automatically be presented to the LDAP server in full dn notation. This can be any
account with LDAP read privileges (essentially any user account) Administrative privileges
are not required.Note that this is the users name, not their login ID (e.g. John Smith rather than
jsmith).
Login password The password for the user account specified above.
Protocol version Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP,
including AD, employ LDAPv3.
Use TLS Use Transport Layer Security (SSL) to log in to the LDAP server. It is strongly
recommended that TLS be used to protected the username and password information that will
be sent across the network. Most modern implementations of LDAP server, including AD,
support TLS. Deselecting this default setting will provide an alert which must be accepted to
proceed.
Send LDAP Start TLS Request Some LDAP server implementations support the Start TLS
directive rather than using native LDAP over TLS. This allows the LDAP server to listen on
one port (normally 389) for LDAP connections, and to switch to TLS as directed by the client.AD does not use this option, and it should only be selected if required by your LDAP server.
Require valid certificate from server Validates the certificate presented by the server during
the TLS exchange, matching the name specified above to the name on the certificate.
Deselecting this default option will present an alert, but exchanges between the SonicWALL
and the LDAP server will still use TLS only without issuance validation.
Local certificate for TLS Optional, to be used only if the LDAP server requires a client
certificate for connections. Useful for LDAP server implementations that return passwords to
ensure the identity of the LDAP client (AD does not return passwords). This setting is not
required for AD.
If your network uses multiple LDAP/AD servers with referrals, then select one as the primary server
(probably the one that holds the bulk of the users) and use the above settings for that server. It willthen refer the SonicWALL on to the other servers for users in domains other than its own. For the
SonicWALL to be able to log in to those other servers, each server must have a user configured with
the same credentials (user name, password and location in the directory) as per the login to primary
server. This may entail creating a special user in the directory for the SonicWALL login. Note that
only read access to the directory is required.
-
8/4/2019 LDAP Integration Feature Module
14/20
Configuring LDAP integration in SonicOS Enhanced
14
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
6. Select the Schema tab:
LDAP Schema select Microsoft Active Directory, RFC2798 inetOrgPerson, RFC2307
Network Information Service, Samba SMB, Novell eDirectory, oruser-defined. Selecting
any of the predefined schemas will automatically populate the fields used by that schema with
their correct values. Selecting user-defined will allow you to specify your own values use
this only if you have a specific or proprietary LDAP schema configuration.
Object class this defines which attribute represents the individual user account to which the
next two fields apply
Login name attribute this defines which attribute is used for login authentication.
sAMAccountName for Microsoft Active Directory
inetOrgPerson for RFC2798 inetOrgPerson
posixAccount for RFC2307 Network Information Service
sambaSAMAccount for Samba SMB
inetOrgPerson for Novell eDirectory
Qualified login name attribute if not empty, this specifies an attribute of a user object that
sets an alternative login name for the user in name@domain format. This may be needed with
multiple domains in particular, where the simple login name may not be unique across domains.
This is set to mail for Microsoft Active Directory and RFC2798 inetOrgPerson.
User group membership attribute this attribute contains the information in the user object
of which groups it belongs to. This is memberOfin Microsoft Active Directory. The other
pre-defined schemas store group membership information in the group object rather than the
user object, and therefore do not use this field.
Framed IP address attribute this attribute can be used to retrieve a static IP address that is
assigned to a user in the directory. Currently it is only used for a user connecting via L2TP with
the SonicWALLs L2TP server. In future this may also be supported for Global VPN Client. In
Active Directory the static IP address is configured on the Dial-in tab of a users properties.
-
8/4/2019 LDAP Integration Feature Module
15/20
Configuring LDAP integration in SonicOS Enhanced
15
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
7. Select the Directory tab.
Primary Domain Specify the user domain used by your LDAP implementation. For AD, this
will be the Active Directory domain name, e.g.yourADdomain.com. Changes to this field will,
optionally, automatically update the tree information in the rest of the page. This is set to
mydomain.com by default for all schemas except Novell eDirectory, for which it is set to
o=mydomain.
User tree for login to server The tree in which the user specified in the Settings tab resides.
For example, in AD the administrator accounts default tree is the same as the user tree.
Trees containing users The trees where users commonly reside in the LDAP directory. One
default value is provided which can be edited, and up to a total of 64 DN values may be
provided. The SonicWALL searches the directory using them all until a match is found, or the
list is exhausted. If you have created other user containers within your LDAP or AD directory,you should specify them here.
Trees containing user groups Same as above, only with regard to user group containers, and
a maximum of 32 DN values may be provided. These are only applicable when there is no user
group membership attribute in the schema's user object, and are not used with AD.
All the above trees are normally given in URL format but can alternatively be specified as
distinguished names (e.g. myDom.com/Sales/Users could alternatively be given as the
DN ou=Users,ou=Sales,dc=myDom,dc=com). The latter form will be necessary if the DN
does not conform to the normal formatting rules as per that example. In Active Directory the
URL corresponding to the distinguished name for a tree is displayed on the Object tab in the
properties of the container at the top of the tree.
Note AD has some built-in containers that do not conform (e.g. the DN for the top level Users
container is formatted as cn=Users,dc=, using cn rather than ou) but the SonicWALL
knows about and deals with these, so they can be entered in the simpler URL format.
Ordering is not critical, but since they are searched in the given order it is most efficient to place
the most commonly used trees first in each list. If referrals between multiple LDAP servers are
to be used, then the trees are best ordered with those on the primary server first, and the rest in
the same order that they will be referred.
-
8/4/2019 LDAP Integration Feature Module
16/20
Configuring LDAP integration in SonicOS Enhanced
16
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
Note When working with AD, to determine the location of a user in the directory for the User tree
for login to server field, the directory can be searched manually from the Active Directory
Users and Settings control panel applet on the server, or a directory search utility such as
queryad.vbs in the Windows NT/2000/XP Resource Kit can be run from any PC in the
domain.
Auto-configure This causes the SonicWALL to auto-configure the Trees containing users
and Trees containing user groups fields by scanning through the directory/directories looking
for all trees that contain user objects. The User tree for login to server must first be set, and
clicking the Auto-configure button then brings up the following dialog:
8. Select whether to append new located trees to the current configuration, or to start from scratch
removing all currently configured trees first, and then click OK. Note that it will quite likely locate
trees that are not needed for user login and some tidying up afterwards, manually removing such
entries, is worthwhile.
If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing
the Domain to search accordingly and selecting Append to existing trees on each subsequent run.
-
8/4/2019 LDAP Integration Feature Module
17/20
Configuring LDAP integration in SonicOS Enhanced
17
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
9. Select the LDAP Users tab.
Allow only users listed locally Requires that LDAP users also be present in the SonicWALL
local user database for logins to be allowed.
User group membership can be set locally by duplicating LDAP user names Allows for
group membership (and privileges) to be determined by the intersection of local user and LDAP
user configurations.
Default LDAP User Group A default group on the SonicWALL to which LDAP users will
belong in addition to group memberships configured on the LDAP server.Group memberships (and privileges) can also be assigned simply with LDAP. By creating user
groups on the LDAP/AD server with the same name as SonicWALL built-in groups (such as Guest
Services, Content Filtering Bypass, Limited Administrators) and assigning users to these groups
in the directory, or creating user groups on the SonicWALL with the same name as existing
LDAP/AD user groups, SonicWALL group memberships will be granted upon successful LDAP
authentication.
The SonicWALL appliance can retrieve group memberships more efficiently in the case of Active
Directory by taking advantage of its unique trait of returning a memberOf attribute for a user.
-
8/4/2019 LDAP Integration Feature Module
18/20
Configuring LDAP integration in SonicOS Enhanced
18
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
10. Select the LDAP Relay tab.
The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site
with an LDAP/AD server and a central SonicWALL, with remote satellite sites connected into it via
low-end SonicWALL security appliances that may not support LDAP. In that case the central
SonicWALL can operate as a RADIUS server for the remote SonicWALLs, acting as a gateway
between RADIUS and LDAP, and relaying authentication requests from them to the LDAP server.
Additionally, for remote SonicWALLs running non-enhanced firmware, with this feature the central
SonicWALL can return legacy user privilege information to them based on user group memberships
learned via LDAP. This avoids what can be very complex configuration of an external RADIUS
server such as IAS for those SonicWALLs.
Enable RADIUS to LDAP Relay Enables this feature.
Allow RADIUS clients to connect via Check the relevant checkboxes and policy rules will
be added to allow incoming RADIUS requests accordingly.
RADIUS shared secret This is a shared secret common to all remote SonicWALLs.
User groups for legacy users These define the user groups that correspond to the legacy
Access to VPNs, Access from VPN client with XAUTH, Access from L2TP VPN client
and Allow Internet access (when access is restricted) privileges respectively. When a user in
one of the given user groups is authenticated, the remote SonicWALL will be informed that the
user is to be given the relevant privilege.
Note The Bypass filters and Limited management capabilities privileges are returned based on
membership to user groups named Content Filtering Bypass and Limited Administrators
these are not configurable.
-
8/4/2019 LDAP Integration Feature Module
19/20
Configuring LDAP integration in SonicOS Enhanced
19
SonicOS Enhanced 3.2 LDAP Integration with eDirectory Feature Module
11. Select the Test tab.
The Test page allows for the configured LDAP settings to be tested by attempting authentication
with specified user and password credentials. Any user group memberships and/or framed IP
address configured on the LDAP/AD server for the user will be displayed.
Further Information on LDAP Schemas
Microsoft Active Directory: Schema information is available at
and
RFC2798 InetOrgPerson: Schema definition and development information is available at
RFC2307 Network Information Service: Schema definition and development information is
available at
Samba SMB: Development information is available at
Novell eDirectory: LDAP integration information is available at
User-defined schemas: See the documentation for your LDAP installation. You can also see general
information on LDAP at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/active_directory_schema.asphttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/active_directory_schema.asphttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_reference.asphttp://rfc.net/rfc2798.htmlhttp://rfc.net/rfc2307.htmlhttp://us5.samba.org/samba/http://www.novell.com/documentation/edir873/index.html?page=/documentation/edir873/edir873/data/h0000007.htmlhttp://www.novell.com/documentation/edir873/index.html?page=/documentation/edir873/edir873/data/h0000007.htmlhttp://rfc.net/rfc1777.htmlhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_reference.asphttp://rfc.net/rfc1777.htmlhttp://www.novell.com/documentation/edir873/index.html?page=/documentation/edir873/edir873/data/h0000007.htmlhttp://us5.samba.org/samba/http://rfc.net/rfc2307.htmlhttp://rfc.net/rfc2798.htmlhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/active_directory_schema.asphttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/active_directory_schema.asp -
8/4/2019 LDAP Integration Feature Module
20/20
RADIUS with LDAP for user groups
S i OS E h d 3 2 LDAP I t ti ith Di t F t M d l 232 001244 00 R A
RADIUS with LDAP for user groupsWhen RADIUS is used for user authentication, there is an option on the RADIUS Users page in the
RADIUS configuration to allow LDAP to be selected as the mechanism for setting user group
memberships for RADIUS users:
When that is selected, after authenticating a user via RADIUS his/her user group membership
information will be looked up via LDAP in the directory on the LDAP/AD server.
Clicking the Configure button launches the LDAP configuration window.Note that in this case LDAP is not dealing with user passwords and the information that it reads from
the directory is normally unrestricted, so operation without TLS could be selected, ignoring the
warnings, if TLS is not available (e.g. if certificate services are not installed with Active Directory).
However, it must be ensured that security is not compromised by the SonicWALL doing a clear-text
login to the LDAP server e.g. create a user account with read-only access to the directory dedicated
for the SonicWALLs use. Do not use the administrator account in this case.