How to configure LDAP user authentication
08/17/2021 
8 
1586
DESCRIPTION:
This article covers how to configure LDAP/Active Directory with a SonicWall firewall.
RESOLUTION:
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
This article covers how to configure LDAP/Active Directory with a SonicWall firewall.
Integrating your firewall with an LDAP directory service requires configuring your LDAP server for certificate management, installing the correct certificate on your firewall, and configuring the firewall to use the information from the LDAP Server.
Navigate to Device | Users | Settings page.
- In the authentication method for login drop-down list, select LDAP + Local Users and Click Configure LDAP.
- If you are connected to your SonicWall appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to
change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the Do not show this message again box and click Yes
On the Settings tab of the LDAP Configuration window, configure the following fields.
- Name or IP address: The FQDN or the IP address of the LDAP server against which you wish to authenticate. If using a name, be certain that it can be resolved by your DNS server. IP address
of the LDAP server . - Port Number: The default LDAP over TLS port number is TCP 636. The default LDAP (unencrypted) port number is TCP 389. If you are using a custom listening port on your LDAP server,
specify it here. - Server timeout (seconds): The amount of time, in seconds, that the SonicWall will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999, with a default of 10 seconds.
Overall operation timeout (minutes): 5(Default). - Anonymous Login – Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (Active Directory generally does not), then you may select this option.
- Login User Name – Specify a user name that has rights to log in to the LDAP directory. The login name will automatically be presented to the LDAP server in full ‘dn’ notation.
This can be any account with LDAP read privileges (essentially any user account) – Domain Administrative privileges are not required. Note that this is the user’s display name, not their login ID. - Login Password – The password for the user account specified above.
- Protocol Version – Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP, including Active Directory, employ LDAPv3.
- Use TL(SSL) : Use Transport Layer Security (SSL) to log in to the LDAP server.
On the Directory tab, configure the following fields:
- Primary domain: The user domain used by your LDAP implementation.
- User tree for login to server: The location of where the tree is that the user specified in the settings tab.
- Click on Auto-configure.
- Select Append to Existing trees and Click OK.
TIP: This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.
- On the Schema tab, configure LDAP Schema: Microsoft Active Directory .
- On the LDAP Users tab, configure Default LDAP User Group : Trusted Group.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Integrating your firewall with an LDAP directory service requires configuring your LDAP server for certificate management, installing the correct certificate on your firewall, and configuring the firewall to use the information from the LDAP Server.
- Navigate to Manage | Users | Settings page.
- In the authentication method for login drop-down list, select LDAP + Local Users and Click Configure LDAP.
- If you are connected to your SonicWall appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the Do not show this message again box and click Yes.
- On the Settings tab of the LDAP Configuration window, configure the following fields.
- Name or IP address: The FQDN or the IP address of the LDAP server against which you wish to authenticate. If using a name, be certain that it can be resolved by your DNS server. IP address
of the LDAP server . - Port Number: The default LDAP over TLS port number is TCP 636. The default LDAP (unencrypted) port number is TCP 389. If you are using a custom listening port on your LDAP server,
specify it here. - Server timeout (seconds): The amount of time, in seconds, that the SonicWall will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999, with a default of 10 seconds.
Overall operation timeout (minutes): 5(Default). - Anonymous Login – Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (Active Directory generally does not), then you may select this option.
- Login User Name – Specify a user name that has rights to log in to the LDAP directory. The login name will automatically be presented to the LDAP server in full ‘dn’ notation.
This can be any account with LDAP read privileges (essentially any user account) – Domain Administrative privileges are not required. Note that this is the user’s display name, not their login ID. - Login Password – The password for the user account specified above.
- Protocol Version – Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP, including Active Directory, employ LDAPv3.
- Use TL(SSL) : Use Transport Layer Security (SSL) to log in to the LDAP server.
- On the Directory tab, configure the following fields:
- On the Schema tab, configure LDAP Schema: Microsoft Active Directory .
- On the LDAP Users tab, configure Default LDAP User Group : Trusted Group.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
