How to configure LDAP user authentication

10/14/2021 131 People found this article helpful 187,332 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

This article covers how to configure LDAP/Active Directory with a SonicWall firewall.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

This article covers how to configure LDAP/Active Directory with a SonicWall firewall.

Integrating your firewall with an LDAP directory service requires configuring your LDAP server for certificate management, installing the correct certificate on your firewall, and configuring the firewall to use the information from the LDAP Server.

Navigate to Device | Users | Settings page.

1. In the authentication method for login drop-down list, select LDAP + Local Users and Click Configure LDAP.
   
   
   

    

2. If you are connected to your SonicWall appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to

   change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the Do not show this message again box and click Yes

3.  

   On the Settings tab of the LDAP Configuration window, configure the following fields.

    

   
    
   
   

• Name or IP address:  The FQDN or the IP address of the LDAP server against which you wish to authenticate. If using a name, be certain that it can be resolved by your DNS server. IP address 
  of the LDAP server .
• Port Number: The default LDAP over TLS port number is TCP 636. The default LDAP (unencrypted) port number is TCP 389. If you are using a custom listening port on your LDAP server,
  specify it here.
• Server timeout (seconds): The amount of time, in seconds, that the SonicWall will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999, with a default of 10 seconds.
  Overall operation timeout (minutes): 5(Default).
• Anonymous Login – Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (Active Directory generally does not), then you may select this option.
• Login User Name – Specify a user name that has rights to log in to the LDAP directory. The login name will automatically be presented to the LDAP server in full ‘dn’ notation. 
  This can be any account with LDAP read privileges (essentially any user account) – Domain Administrative privileges are not required. Note that this is the user’s display name, not their login ID.
• Login Password – The password for the user account specified above.
• Protocol Version – Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP, including Active Directory, employ LDAPv3.
• Use TL(SSL) : Use Transport Layer Security (SSL) to log in to the LDAP server. 

On the Directory tab, configure the following fields:

•  Primary domain: The user domain used by your LDAP implementation.
• User tree for login to server: The location of where the tree is that the user specified in the settings tab.
• Click on Auto-configure.
• Select Append to Existing trees and Click OK.
  
  
  
  TIP: This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects. 
  
  
• On the Schema tab, configure LDAP Schema: Microsoft Active Directory .
• On the LDAP Users tab, configure Default LDAP User Group : Trusted Group.
  
  
  

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Integrating your firewall with an LDAP directory service requires configuring your LDAP server for certificate management, installing the correct certificate on your firewall, and configuring the firewall to use the information from the LDAP Server.

1. Navigate to Manage | Users | Settings page.
2. In the authentication method for login drop-down list, select LDAP + Local Users and Click Configure LDAP.
   
   
   
3. If you are connected to your SonicWall appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the Do not show this message again box and click Yes.
4. On the Settings tab of the LDAP Configuration window, configure the following fields.
   
   
   1. • Name or IP address:  The FQDN or the IP address of the LDAP server against which you wish to authenticate. If using a name, be certain that it can be resolved by your DNS server. IP address 
        of the LDAP server .
      • Port Number: The default LDAP over TLS port number is TCP 636. The default LDAP (unencrypted) port number is TCP 389. If you are using a custom listening port on your LDAP server,
        specify it here.
      • Server timeout (seconds): The amount of time, in seconds, that the SonicWall will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999, with a default of 10 seconds.
        Overall operation timeout (minutes): 5(Default).
      • Anonymous Login – Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (Active Directory generally does not), then you may select this option.
      • Login User Name – Specify a user name that has rights to log in to the LDAP directory. The login name will automatically be presented to the LDAP server in full ‘dn’ notation. 
        This can be any account with LDAP read privileges (essentially any user account) – Domain Administrative privileges are not required. Note that this is the user’s display name, not their login ID.
      • Login Password – The password for the user account specified above.
      • Protocol Version – Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP, including Active Directory, employ LDAPv3.
      • Use TL(SSL) : Use Transport Layer Security (SSL) to log in to the LDAP server. 
   2. On the Directory tab, configure the following fields:
      
      
   •  Primary domain: The user domain used by your LDAP implementation.
   • User tree for login to server: The location of where the tree is that the user specified in the settings tab.
   • Click on Auto-configure.
   • Select Append to Existing trees and Click OK.
     
     
     
     

      TIP: This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.

5. On the Schema tab, configure LDAP Schema: Microsoft Active Directory .
6. On the LDAP Users tab, configure Default LDAP User Group : Trusted Group.

Related Articles

• Bandwidth usage and tracking in SonicWall
• How to force an update of the Security Services Signatures from the Firewall GUI
• Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

Categories

• Firewalls > TZ Series > User Login
• Firewalls > NSa Series > User Login