LDAP Integration in SonicOS 6.5 and above
02/19/2020 451 18569
This article will go through LDAP integration in SonicOS 6.5 and along with an example when LDAP client authentication fails.
- LDAP integration in SonicOS 6.5
- LDAP Client Authentication Failed.
- Click Manage in the top navigation menu.
- Navigate to Users | Settings | Authentication and select LDAP + Local Users and click Configure LDAP.
TIP: If you are connected to your SonicWall appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the “Do not show this message again” box and click Yes.
NOTE: SonicOS 6.5 introduces support for user authentication partitioning and multiple LDAP Servers. Multiple LDAP Servers are supported on all platforms.For more information about User Authentication Partitioning and multiple LDAP Servers click Authentication Partitioning and Multiple LDAP Servers.
- On the Settings page, click LDAP Servers and click add to enter the server configuration .
LDAP Authentication Failed
Overview of LDAP Authentication process
- The SonicWall establishes a TCP connection with the LDAP server on port 389 (or 636 if using TLS).
- The SonicWall binds to the LDAP server, authenticating itself using the DN (Distinguished Name) format of the Login user name (Settings tab) + User tree for login to server (Directory tab). In this example, the name in the LDAP bindRequest is cn=Administrator,cn=Users,dc=mydomain,dc=com.
- If the bindResponse from the LDAP server is 'success', then the SonicWall queries the Trees containing users (Directory tab) using the client's username as a filter. In this example, the client is trying to authenticate as oprime, so the SonicWall will query the baseObject "cn=Users,dc=mydomain,dc=com" using the filter sAMAccountName=oprime.
- The LDAP server replies with the user's full DN, which will look something like cn=Optimus Prime,cn=Users,dc=mydomain,dc=com.
- Now that the SonicWall has the full DN of the user, it establishes a new TCP connection with the LDAP server on port 389 (or 636 if using TLS) so it can try to authenticate as the user. The SonicWall sends a bindRequest to the server, using the full DN of the user (cn=Optimus Prime,cn=Users,dc=mydomain,dc=com).
- The LDAP server responds with resultCode - succeeded - and will display information about which groups the user is member of which means that the user authentication is successful.
TIP: The error message LDAP client authentication failed means that the authentication using the client’s username and password failed. This may happen if any of the following conditions apply.
EXAMPLE: Troubleshooting steps
- The User doesn't’t exist, or doesn’t reside in one of the Trees containing users (Directory tab). Check the LDAP server and make sure that the user object exists in one of the Trees containing users, and that it is spelled correctly.
- The Password is incorrect. Double-check the user’s password.
- There are special characters in the username or password. Most special characters should be OK, but some can cause problems with the bindRequest (such as !, @, ‘ , and ,). To rule out problems with this, test authentication with an account whose username and password have no special characters.