Integrating LDAP over TLS in SonicOS Enhanced with Windows Server 2008
03/26/2020 85 People found this article helpful 400,776 Views
Description
Integrating LDAP over TLS in SonicOS Enhanced with Windows Server 2008
Resolution
Feature:
The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA according to the guidelines in this article.
This article illustrates how to integrate LDAP over TLS in SonicWall with a Microsoft Windows Server 2008.
Deployment Prerequisites.
- Microsoft Windows Active Directory Services installed and configured.
- Microsoft Certificate Services installed and configured.
- Microsoft Internet Information Services (IIS) 7.0 installed and configure.
Deployment Steps:
Step 1. Exporting the CA Certificate from the Active Directory Server
Step 2. Importing the CA Certificate onto the SonicWall
Step 3. Configuring LDAP settings on SonicWall Applicance
How to Test
Procedure
Step 1: Exporting the Root CA Certificate from the Active Directory (AD) Server
1. In the AD server, launch the Certificate Authority application by Start > Run > certsrv.msc.
2. Right click on the CA you created and select Properties.
3. On the General tab, click the View Certificate button.
4. On the Details tab, select Copy to File.
5. Follow through the wizard, and select the DER Encoded binay X.509 (.cer) format.
6. Click browse and specify a path and filename to to save the certificate.
7. Click on the Next button and click on Finish
Step 2: Importing the CA Certificate onto the SonicWall
To import the CA certificate onto the SonicWall:
1. Naviagate to System > Certificates.
2. Click on Import. Select the certificate file you just exported.
3. Select Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem) or DER (.der or .cer) encoded file,
4. Click on Browse and Select the certificate file you just exported from the MS Certificate Authority.
5. Once the root certificate is selected, Click on the import button.
6. Once the CA root certificate is imported, it will be listed under the System > Certificates page with Type as CA Certificate
Step 3: Configuring LDAP settings on SonicWall Applicance
1. Navigate to the Users > Settings page.
2. In the Authentication method for login drop-down list, select LDAP + Local Users and Click Configure
If you are connected to your SonicWall appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the “Do not show this message again” box and click Yes.
3. On the Settings tab of the LDAP Configuration window, configure the following fields :
- Name or IP address: The FQDN of the LDAP server against which you wish to authenticate. When using a name, be certain that it can be resolved by your DNS server.(Recommended to use the name of the server)
- Port Number: The default LDAP over TLS port number is TCP 636.
- Server timeout (seconds): The amount of time, in seconds, that the SonicWall will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999, with a default of 10 seconds.
- Overall operation timeout (minutes): 5(Default)
- Anonymous Login – Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (Active Directory generally does not), then you may select this option.
- Login User Name – Specify a user name that has rights to log in to the LDAP directory. The login name will automatically be presented to the LDAP server in full ‘dn’ notation.This can be any account with LDAP read privileges (essentially any user account) – Administrative privileges are not required. Note: This is the user’s Display Name, not their login ID.
- Login Password – The password for the user account specified above.
- Protocol Version – Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP,including Active Directory, employ LDAPv3.
- Use TL(SSL) : Use Transport Layer Security (SSL) to log in to the LDAP server. It is strongly recommended that TLS be used to protect the username and password information that will be sent across the network. Most modern implementations of LDAP server, including Active Directory, support TLS. Deselecting this default setting will display an alert that you must accept to proceed.(Check this Option)
- Send LDAP ‘Start TLS’ Request – Some LDAP server implementations support the Start TLS directive rather than using native LDAP over TLS. This allows the LDAP server to listen on one port (normally 389) for LDAP connections, and to switch to TLS as directed by the client. Active Directory does not use this option, and it should only be selected if required by your LDAP server.
- Require valid certificate from server – Validates the certificate presented by the server during the TLS exchange, matching the name specified above to the name on the certificate. Deselecting this default option will present an alert, but exchanges between the SonicWall and the LDAP server will still use TLS.
- Local certificate for TLS – Optional, to be used only if the LDAP server requires a client certificate for connections. Useful for LDAP server implementations that return passwords to ensure the identity of the LDAP client (Active Directory does not return passwords). This setting is not required for Active Directory.
4. On the Schema tab, configure the following fields:
5. On the Directory tab, configure the following fields:
Primary domain:The user domain used by your LDAP implementation
User tree for login to server:The location of where the tree is that the user specified in the settings tab
Click on Auto-configure
Select Append to Existing trees and Click OK
This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.
6. On the LDAP Users tab, configure the following fields:
How to Test:
On the LDAP Test tab, Test a Username and Password in Active directory to make sure that the communication is successful.
For Troubleshoting LDAP over TLS issues, refer KB article Troubleshooting LDAP over TLS integration with SonicWall.
Related Articles
Categories