Account Lifetime Expiry for LDAP imported users
03/14/2023 20 People found this article helpful 475,893 Views
Description
Administrators might run into requirements where imported users from the active directory or LDAP server should be valid for a specific period of time on the firewall and once the account lifetime is over, the user should not be able to connect either locally or from a remote location.
Currently, the firewall has an option for account lifetime on the locally created users on the firewall or for the imported user from the LDAP server. In this article, we will discuss in detail why the option is supported only for Local user accounts and not for imported LDAP user accounts.
EXAMPLE:
Let us take an example where we have created a local user account and integrated an LDAP server from the local network and imported a user from that LDAP server as shown below :
Let us set the account life time for both of these users as 1 minute on firewall as shown below:
Notice that after one minute of account lifetime expiry, you will see the following representation on the SonicWall GUI,
However, if we now test these user accounts, like connecting via Global VPN Client, we will see the following behavior:
a) With Local user account:
The firewall will not allow the local user to connect as its account lifetime was expired and the GVC client will be displaying the logs as:
b) With LDAP user accounts:
The firewall allows the user to connect even though the user account on the firewall shows expired.
Cause
The user account imported on the firewall is not the actual user account but a link from the LDAP server. Even though the account has expired from the SonicWall database, it is actually active on the LDAP server. Every time the domain user is authenticated, the request will be sent to the DC and based on the response and the attributes received from the Domain Controller or LDAP server, the user access and the authentication are controlled. Currently, limiting the Account Lifetime for the LDAP user account is not supported by SonicWALL firewalls.
Resolution
The workaround to achieve this requirement will be using Local users for VPN authentication or controlling the Lifetime from the LDAP server directly, either through 'Logon Hours' or the 'Account Expire' option, before importing the user on the firewall as shown:
ISSUE ID:
DTS#222096
RFE#3044
Related Articles
Categories