Secure Mobile Access 12.4 Administration Guide

Configuring LDAP and LDAPS Authentication

The SMA appliance supports authentication using the LDAP or LDAPS (LDAP over SSL) protocols. Either protocol can be used to validate username and password credentials. The below image shows typical LDAP configuration options.

LDAP and LDAPS authentication configuration options

Securing your LDAP connection with SSL requires additional configuration. You must add the root certificate of the CA that granted your LDAP certificate to the SSL trusted root file. This enhances security by preventing attempts to impersonate your LDAP server. For more information, see Importing CA Certificates.

After configuring an LDAP or LDAPS server, you can validate the realm configuration settings by establishing a test connection. For more information, see Testing LDAP and AD Authentication Configurations.

Consider the following restrictions when configuring LDAP authentication:

  • Firewalls and routers - You must configure your firewall or router to allow the appliance to communicate with your LDAP server. Standard LDAP uses port 389/tcp; LDAPS communicates over port 636/tcp.
  • LDAP Affinity servers - Although it is possible to configure LDAP Affinity servers for all authentication servers, an Affinity server should be used only for an authentication server that does not include full group search capabilities, such as a RADIUS, RSA, and PKI server. In addition, Secure Mobile Access does not support Affinity servers for stacked authentication where any one of the authentication servers has group checking capabilities.

    When an Active Directory (AD) server is used as an LDAP server, ACL checks cannot be performed. Short names (SN) or common names (CN) are not supported on LDAP servers. They are only supported on AD servers.

  • Digital certificate validation - Configuring an LDAP authentication server with digital certificate validation is offered for legacy customers. New users should use the standard method described in Configuring a PKI Authentication Server. The Trust intermediate CAs without verifying the entire chain option is offered on the configuration pages for both the LDAP with Digital Certificate option and the Public key infrastructure (PKI) option.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.