en-US
search-icon

Enforced Client Policy and Reporting Server 2.3 Admin Guide

LDAP

Lightweight Directory Access Protocol (LDAP) is one of the options under Directory Services that administrators can use to efficiently manage Users and Groups from the LDAP server. LDAP is used to sync Users/Groups into EPRS, so CFS Policies can be tied to the Client Groups where the Clients belong. If you have an environment with more than one firewall in it, you can manage LDAP at two levels: globally and on the firewall. By selecting the global node, you can configure and make changes across all the firewalls in your environment. By selecting an individual node, or firewall, you can configure and make changes that apply only to that particular unit.

Topics:

Settings

To configure the settings on the LDAP page:
1
On the Policies tab, navigate to Directory Services > LDAP. The LDAP page defaults to the Settings tab.

2
Check the box to Configure LDAP.
3
Enter the name or IP address for the LDAP Server.
4
Enter the TCP port number running the LDAP service.

You can also choose one of the Standard Port Choices from the drop-down list. The default LDAP port is 389. Be sure to open this port number in your firewall for inbound communication with the LDAP server.

5
Specify the Server timeout period in seconds. If no connection is made after this period elapses the client stops attempting to connect to the server.
6
Specify Overall operation timeout in minutes. This is the maximum time spent on any auto-operation.
 
* 
NOTE: Some operations, such as directory configuration or importing user groups, can take several minutes, especially if running across multiple LDAP servers.
7
Select one of the following authentication methods:
 

Authentication method

Definition and process

Anonymous login

Select to login without the LDAP server authenticating information or “binding” to the server.

Give login name/location in tree

Select to authenticate through a login process. Also:

1
Enter the Login user name.
NOTE: You need to provide the user’s distinguished name. This is different from the user login ID. For example, John Doe may have a user login ID as ‘jdoe’. However, you would enter ‘John Doe’ in this field. When selecting this option, you will also need to provide User Tree for Login to Server, located on the Directory Services > LDAP, Directory tab.
2
Enter the Login password. If you leave the password field empty, the current password will remain unchanged.
3
Select the Protocol version from the drop down list.

Give bind distinguished name

Select to bind to the LDAP server using the full distinguished name. Also:

1
Enter the Bind distinguished name.
2
Enter the Login password. If you leave the password field empty, the current password will remain unchanged.
3
Select the Protocol version from the drop down list.
8
Check the Use TLS (SSL) box to enable the authentication of servers and clients and encryption of messages on LDAP.
9
Click Update to save these settings.

Schema

To set up the LDAP schema:
1
On the Policies tab, navigate to Directory Services > LDAP.
2
Select the Schema tab.
3
Select the LDAP Schema from the drop-down list.
Selecting any of the predefined schemas automatically populates the fields used by that schema with their correct values.
If the LDAP schema you wish to use is not an option in the drop-down list, select User defined and go to the next procedure.

To configure a user-defined schema:
1
In the LDAP Schema field, select User defined from the drop down list.
2
In the User Objects section:
a
Define the Object class. This defines which attribute represents the individual user account to which the login name attribute and the user group membership attribute apply.
b
Define the Login name attribute. This is the LDAP attribute that corresponds to the User ID.
c
Define the User group membership attribute. This is the LDAP attribute that lists the groups or mailing lists that the user is a member of.
d
Define the Additional user group ID attribute. If set and Use is enabled (the boxed checked), then when a user object is found with one or more instances of the specified attribute, a search for additional user groups matching the specified attribute is made in the LDAP directory. If a group is found with the Additional user group match attribute set to that value then the user is also made a member of that group.
 
* 
NOTE: This attribute may be inefficient to the load performance of your LDAP server.
3
In the User Group Objects section:
a
Define the Object class for the group for the LDAP schema.
b
Specify the Member attribute that corresponds to group members.
c
Set the Additional user group match attribute. This is the LDAP attribute that allows for a schema to set additional memberships for a user group. If a group is found with this attribute set to the specified value, then the user will also be made a member of that group.
 
* 
NOTE: This attribute may be inefficient to the load performance of your LDAP server
4
Select Read from Server to retrieve the LDAP schema from the LDAP server.
5
Choose to:
Automatically update the schema configuration
Export details of the schema
6
Click OK.
7
Click Update to save these settings.

Directory

Depending on the authentication method you specified on the Settings tab, you may have to enter additional information on the Directory tab.

To configure Directory settings:
1
On the Policies tab, navigate to Directory Services > LDAP.
2
Select the Directory tab.

3
Depending on your selection on the Settings tab, define the User Directory Information:
If you selected Anonymous Login or Give bind distinguished name, provide the Primary domain or check the box to Fetch domain alias automatically.
If you selected Give login name/location in tree, specify the Primary Domain and the User Tree for Login to Server fields. This specifies the tree in the directory that includes the user object for the user that you configured on the Settings tab.
4
Click Update to save these settings

Users & Groups

To mirror LDAP users and user groups:
1
On the Policies tab, navigate to Directory Services > LDAP.

2
Select the Users & Groups tab.
3
Check the box to Mirror LDAP users and user groups automatically.
4
Specify the Refresh period in hours.This is the period between mirroring operations. A valid value can range from 8 to 168 hours.
5
Click Update to save these settings.

Test

To test the LDAP settings:
1
On the Policies tab, navigate to Directory Services > LDAP.

2
Select the Test tab.
3
Enter a valid LDAP User name and Password.
4
Click the Test button. EPRS retrieves any messages from the LDAP server as well as returned user attributes in the appropriate fields.