How to integrate LDAP/Active Directory user authentication?

09/27/2023 2,483 People found this article helpful 534,561 Views

Description

This article covers how to integrate LDAP/Active Directory with a SonicWall firewall.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Navigate to Device | Users | Settings page.
In the authentication method for login drop-down list, select LDAP + Local Users and Click Configure LDAP.
If you are connected to your SonicWall appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to
change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the Do not show this message again box and click Yes
On the Settings tab of the LDAP Configuration window, configure the following fields.

Name or IP address: The FQDN or the IP address of the LDAP server against which you wish to authenticate. If using a name, be certain that it can be resolved by your DNS server. IP address
of the LDAP server .
Port Number: The default LDAP over TLS port number is TCP 636. The default LDAP (unencrypted) port number is TCP 389. If you are using a custom listening port on your LDAP server,
specify it here.
Server timeout (seconds): The amount of time, in seconds, that the SonicWall will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999, with a default of 10 seconds.
Overall operation timeout (minutes): 5(Default).
Anonymous Login – Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (Active Directory generally does not), then you may select this option.
Login User Name – Specify a user name that has rights to log in to the LDAP directory. The login name will automatically be presented to the LDAP server in full ‘dn’ notation.
This can be any account with LDAP read privileges (essentially any user account) – Domain Administrative privileges are not required. Note that this is the user’s display name, not their login ID.
Login Password – The password for the user account specified above.
Protocol Version – Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP, including Active Directory, employ LDAPv3.
Use TL(SSL) : Use Transport Layer Security (SSL) to log in to the LDAP server.

On the Directory tab, configure the following fields:

Primary domain: The user domain used by your LDAP implementation.
User tree for login to server: The location of where the tree is that the user specified in the settings tab.
Click on Auto-configure.
Select Append to Existing trees and Click OK.

TIP: This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.
On the Schema tab, configure LDAP Schema: Microsoft Active Directory .
On the LDAP Users tab, configure Default LDAP User Group : Trusted Group.

How to Test

On the LDAP Test tab, test a Username and Password in Active directory to make sure that the communication is successful.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Navigate to Manage | Users | Settings page.
In the authentication method for login drop-down list, select LDAP + Local Users and Click Configure LDAP.
If you are connected to your SonicWall appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the Do not show this message again box and click Yes.
On the Settings tab of the LDAP Configuration window, configure the following fields.
1. - Name or IP address: The FQDN or the IP address of the LDAP server against which you wish to authenticate. If using a name, be certain that it can be resolved by your DNS server. IP address
    of the LDAP server .
  - Port Number: The default LDAP over TLS port number is TCP 636. The default LDAP (unencrypted) port number is TCP 389. If you are using a custom listening port on your LDAP server,
    specify it here.
  - Server timeout (seconds): The amount of time, in seconds, that the SonicWall will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999, with a default of 10 seconds.
    Overall operation timeout (minutes): 5(Default).
  - Anonymous Login – Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (Active Directory generally does not), then you may select this option.
  - Login User Name – Specify a user name that has rights to log in to the LDAP directory. The login name will automatically be presented to the LDAP server in full ‘dn’ notation.
    This can be any account with LDAP read privileges (essentially any user account) – Domain Administrative privileges are not required. Note that this is the user’s display name, not their login ID.
  - Login Password – The password for the user account specified above.
  - Protocol Version – Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP, including Active Directory, employ LDAPv3.
  - Use TL(SSL) : Use Transport Layer Security (SSL) to log in to the LDAP server.
2. On the Directory tab, configure the following fields:
- Primary domain: The user domain used by your LDAP implementation.
- User tree for login to server: The location of where the tree is that the user specified in the settings tab.
- Click on Auto-configure.
- Select Append to Existing trees and Click OK.
  
  TIP: This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.
On the Schema tab, configure LDAP Schema: Microsoft Active Directory .
On the LDAP Users tab, configure Default LDAP User Group : Trusted Group.