Configuring LDAP and LDAPS Authentication
The SMA appliance supports authentication using the LDAP or LDAPS (LDAP over SSL) protocols. Either protocol
can be used to validate username and password credentials. The below image shows typical LDAP configuration options.
LDAP and LDAPS authentication configuration options
Securing your LDAP connection with SSL requires additional configuration. You must add the root certificate of
the CA that granted your LDAP certificate to the SSL trusted root file. This enhances security by preventing
attempts to impersonate your LDAP server. For more information, see Importing CA Certificates.
After configuring an LDAP or LDAPS server, you can validate the realm configuration settings by establishing a
test connection. For more information, see Testing LDAP and AD Authentication Configurations.
Consider the following restrictions when configuring LDAP authentication:
- Firewalls and routers - You must configure your firewall or router to allow the appliance to communicate
with your LDAP server. Standard LDAP uses port 389/tcp; LDAPS communicates over port 636/tcp.
LDAP Affinity servers - Although it is possible to configure LDAP Affinity servers for all authentication
servers, an Affinity server should be used only for an authentication server that does not include full
group search capabilities, such as a RADIUS, RSA, and PKI server. In addition, Secure Mobile Access does
not support Affinity servers for stacked authentication where any one of the authentication servers has
group checking capabilities.
When an Active Directory (AD) server is used as an LDAP server, ACL checks cannot be
performed. Short names (SN) or common names (CN) are not supported on LDAP servers. They are
only supported on AD servers.
- Digital certificate validation - Configuring an LDAP authentication server with digital certificate
validation is offered for legacy customers. New users should use the standard method described in Configuring a PKI Authentication Server. The Trust intermediate CAs without verifying the entire chain option is offered on the configuration pages for both the LDAP with Digital Certificate option and the Public key infrastructure (PKI) option.
Was This Article Helpful?
Help us to improve our support portal