Configuring Active Directory/LDAP over TLS (Certificate)
03/26/2020 520 38842
This article explains how to integrate SonicWall appliance with an LDAP directory service, such as Windows Active Directory, using SSL/TLS.
- Install a server certificate on the LDAP server.
- Install a Certificate Authority (CA) certificate for the issuing CA on your SonicWall appliance.
- Configure the SonicWall appliance for LDAP over SSL/TLS
A prerequisite is configuring the Domain Controller (DC) server for certificate management so that it can establish SSL/TLS sessions with the SonicWall appliance. To achieve this, one has to install the certificate, e.g, mycert.pfx on the DC. Such a file has both the private key and public key certificate. While one can purchase a certificate from a public Certificate Authority (CA), self-signed certificates can be created on a CA in Active Directory Certificate Services or OpenSSL and used for this purpose.
Next, you should configure the SonicWall appliance for LDAP over SSL/TLS. Additionally, you may consider exporting the public key certificate from the DC and import it to the SonicWall Appliance.
NOTE: In this article we have used Windows 2003 server for Certificate Authority and Active Directory. If you are using windows server other than 2003 please check Microsoft site for configuring CA and Active directory, however the steps on the SonicOS Enhanced remains the same.
The following procedures describe how to Configure LDAP over TLS.
Configuring the CA on the Active Directory (Windows 2003 Server)
To configure the CA on the Active Directory server (skip the first five steps if Certificate Services are already installed)
- Navigate to Start | Settings | Control Panel | Add/Remove Programs.
- Select Add/Remove Windows components.
- Select Certificate Services.
- Select Enterprise Root CA when prompted.
- Enter the requested information. For information about certificates on Windows systems, see http://support.microsoft.com/kb/931125.
Exporting the CA Certificate from the Active Directory Server
To export the CA certificate from the AD server
- Launch the Certification Authority application: Start | Run | certsrv.msc.
- Right click on the CA you created and select Properties.
- On the General tab, click View Certificate .
- On the Details tab, select Copy to File.
- Follow through the wizard, and select the DER Encoded binary X.509 (.cer) format.
- Click browse and Specify a path and filename to which to save the certificate.
- Click Next button and click Finish.
Importing the CA Certificate onto the SonicWall
To import the CA certificate onto the SonicWall:
- Navigate to Manage | System Setup | Appliance | Certificates.
- Select Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem) or DER (.der or .cer) encoded file.
- Choose the certificate File, EXAMPLE: pluto-cert.cer below.
- Click Import.
- Once the CA root certificate is imported, it will be listed under Manage | System Setup | Appliance | Certificates | Imported Certificates.
Configuring LDAP settings on SonicWall Appliance
- Navigate to Manage | System Setup | Users | Settings . In the User authentication method from the drop-down list, select LDAP + Local Users and click Configure LDAP.
- On the LDAP Configuration window that opened, click ADD to set up a new LDAP server.
On the Schema tab
- Select the LDAP schema EXAMPLE: Microsoft Active Directory. Additionally, one might consider updating the schema by clicking READ FROM SERVER followed by Automatically update the server's schema configuration .
On the Directory tab
In the Genera Settings tab of LDAP Configuration window: select
- Protocol version: LDAP version 3.
- Select Require valid certificate from the server when using TLS.
- Local certificate for TLS : Optional, to be used only if the LDAP server requires a client certificate for connections. Useful for LDAP server implementations that return passwords to ensure the identity of the LDAP client (Active Directory does not return passwords). This setting is not required for Active Directory. Leave this option to None.
On the Users & Groups tab
- Default LDAP User Group : Trusted Group
- Click OK which will open an window where you an choose which groups import.
- The LDAP Configuration window allows one to test LDAP users as summarized below.
- SonicOS 6.5 LDAP Test has a newer feature where one can do an LDAP search for a user or usergroup as summarized below.