Secure Mobile Access 12.4 Administration Guide

Configuring LDAP with Username and Password

Remember the following when configuring LDAP:

  • The Notify user before password expires and Allow user to change password when notifiedsettings in the Password management area have some constraints:

    • They are supported only on IBM Directory Server.

    • They are available only for users who connect to the appliance using Web access (the translated, custom port mapped, or custom FQDN mapped Web access), or using Connect Tunnel.

    • Users must have permission on the LDAP server to change their passwords.

  • The Login DN and Password fields are not always required in order to connect to an LDAP server. However, if they are not provided (or you do not specify a password), the appliance binds to LDAP anonymously, which does not usually provide the appropriate permissions for performing user and group information searches.

  • If you define multiple LDAPS servers, you should also configure the Match certificate CN against LDAP server name setting to be the same for each realm. (Enabling this option is recommended in a production environment.) Although AMC allows you to configure this setting per realm, the appliance actually uses the setting configured in the last loaded LDAPS realm. In other words, if you selected this checkbox for three LDAPS servers, but cleared it for a fourth LDAPS realm, the functionality would be disabled for all four servers.
  • Configuring an LDAP authentication server with digital certificate validation is offered for legacy customers. New users should use the standard method described in Configuring a PKI Authentication Server.

To configure an LDAP authentication server with username and password validation

  1. In the AMC, navigate to System Configuration > Authentication Servers.

  2. Click New.

  3. Under Authentication directory, click LDAP.

  4. Under Credential type, click Username/Password, and then click Continue.

    The Edit Authentication Server page displays.

  5. In the Name field, type a name for the authentication server.C

  6. Complete the information listed under General:

    • In the Primary LDAP server field, type the host name or IP address of your LDAP server. If you are using a failover server (optional), specify its address in the Secondary LDAP server field.

      If the LDAP server is listening on a something other than the well-known port (389 for unencrypted LDAP connections, or 636 for SSL connections), specify a port number as a colon-delimited suffix (for example, myldap.example.com:1300).

    • In the Login DN field, type the distinguished name (DN) used to establish a connection with the LDAP server.
    • In the Password field, type the password used to establish a connection with the LDAP server.

    • In the Search base field, type the point in the LDAP directory from which you want to begin searching for user information. This will usually be the lowest point in the directory tree that contains user information. For example, you might type ou=Users,o=xyz.com. The user binding to the LDAP directory must have permissions to view the directory at this level.
    • In the Username attribute field, type the attribute used to match usernames. This is usually cn or uid.
    • Click the Test button for each server you specified in order to test the connection.

  7. Complete the information listed under Group lookup:

    • To enable group checking on this server, select the Use this authentication server to check group membership checkbox. When this checkbox is unchecked, the nested controls are disabled because they apply only to group checking behavior. This checkbox, when unselected, allows an authentication server for LDAP, AD, or AD-Tree to be configured without enabling it for authorization checks. This improves efficiency by allowing better stacked/affinity authentication support.
    • If you want the LDAP search to determine a user’s group membership by searching the group attribute in the user container, select the Find groups in which a user is a member checkbox and then type the Group attribute. This attribute is most often memberOf. Do not select this checkbox unless attribute-based groups are supported by and enabled on your LDAP server.
    • If your LDAP server does not support attribute-based groups or you have not enabled this functionality, you can select the Look in static groups for user members checkbox; to specify the depth of the search (how many sub-groups to include in the search), enter a number in the Nested group lookup checkbox. Be aware that this type of search can take some time because it requires searching the entire LDAP tree; enabling Cache group checking is highly recommended.
    • To reduce the load on your directory and get better performance, cache the attribute group or static group search results. Select the Cache group checking checkbox and then specify a Cache lifetime, in seconds. The default value is 1800 seconds (30 minutes).
  8. To secure the LDAP connection with SSL, complete the information under LDAP over SSL:

    • To secure the LDAP connection with SSL, select the Use SSL to secure LDAP connection checkbox.

    • View your certificate details and verify that the root certificate can be used by the appliance. See Importing CA Certificates for details.

    • To configure the appliance to verify that the LDAP host name is the same as the name in the certificate presented by the LDAP server, select the Match certificate CN against LDAP server name checkbox. Typically, your server name will match the name specified in its digital certificate. If this is the case with your server, SonicWall recommends enabling this option in a production environment. This makes it more difficult for an unauthorized server to masquerade as your LDAP server if your digital certificate or DNS server is compromised.

  9. Optionally, complete the information listed under Advanced.

    • When an LDAP server cannot answer a client’s query, you can refer it to other LDAP servers by selecting the Enable LDAP referrals checkbox. Use caution when enabling this feature because it can slow down the authentication process. If you are configuring LDAP to authenticate against Microsoft Active Directory, you may want to disable this feature.
    • In the Server timeout field, type the number of seconds to wait for a reply from the LDAP server. The default value is 60 (one minute).
    • To change the prompts and other text that Windows users see when they log in to the authentication server, select the Customize authentication server prompts checkbox. The page title, message, and login prompts can all be customized. If users log in using a PIN as a password, for example, change the text for the Proof prompt from Password: to PIN: (a customized Message could explain how to retrieve a forgotten PIN).
    • You can allow users to change their passwords (in WorkPlace only) by selecting Enable user-initiated password change. If a realm is configured with stacked authentication and requires two sets of username/password credentials, a user who changes his or her password will be changing the credentials for just the first of the two authentication servers.

    • To allow the LDAP server to notify users that their passwords are going to expire, select the Notify user before password expires checkbox. To also permit them to change their passwords when prompted by the LDAP server, select the Allow user to change password when notified checkbox. The password prompt users see is controlled by the LDAP server.
    • To enable NTLM authentication forwarding, click one of the Domain authentication forwarding options. For more information, see NTLM Authentication Forwarding.

  10. To configure authentication that includes an OTP, enable Use one-time passwords with this authentication server.

    1. To send OTP through Email/SMTP, you must configure SMTP service. For more details, see Configuring SMTP to Deliver One-Time Passwords.
    • Enter the number of characters for the OTP in the Password contains field. The default length is 8, the minimum is 4, and the maximum is 20.
    • Select the type of characters in the OTP from the drop-down list. Select Alphabetic, Alphabetic and numeric, or Numeric.
    • In the From address field, enter the email address from which the OTP will be sent.

    • In the Primary email address attribute box, enter the directory attribute for the email address to which one-time passwords will be sent. If the primary attribute exists on the authentication server, it is used.
    • The Secondary email address attribute, if specified, is used in addition to the primary email address. The OTP is sent to both addresses.

      To have OTPs sent as a text message (instead of an email message), enter the corresponding attribute name (for example, SMSphone instead of Mail or primaryEmail). See Configuring the AD or LDAP Directory Server for more information.

    • In the Subject field, customize the subject line of the OTP email. You can use the replacement variable {password} to indicate a position in the subject line where the actual password will display.
    • In the Body field, customize the body of the OTP message. Use the replacement variable {username} to indicate a position in the message where the user’s account name will display. Use the replacement variable {password} to indicate a position in the message where the actual password will display.
    • To test delivery of an OTP to a user, enter the email address of the user who will receive the OTP into the Email address field and click the Send test message button. If the appliance is able to send the message, the status Message successfully sent is displayed below the button. Failure messages are also displayed below the button, such as errors connecting to the SMTP server, or errors communicating with the AD/LDAP server or looking up the specified user on the AD/LDAP server.

    You can configure OTP to be delivered through SMS and Email or only through SMS or only through Email. Same OTP will be delivered through both the channels.

    1. To send OTP through SMS, you must configure SMS service. For more details, see Configuring an Authentication Server for One-Time Passwords
    • Enable Send password via text message using SMS option.
    • Enter the number of characters for the OTP in the Password field. The default length is 8, the minimum is 4, and the maximum is 20.
    • Select the type of characters in the OTP from the drop-down menu. Select Alphabetic, Alphabetic and numeric, or Numeric.
    • Choose masking level of user phone number shown on authentication page after sending OTP. This helps the user to know to which number the OTP is being sent.
      • Choose Partial if only part of phone number should be displayed.
      • Choose None if whole phone number should be displayed.
      • Choose Full if no phone number should be displayed.
    • In the Phone number attribute field, enter the directory attribute for the phone number to which one-time passwords will be sent.
    • In the Message field, customize the body of the OTP message. Use the replacement variable {username} to indicate a position in the message where the user’s account name will display. Use the replacement variable {password} to indicate a position in the message where the actual password will display.
    • To test delivery of an OTP to a user, enter the phone number of the user who will receive the OTP into the Phone number field and click the Send test message button. If the appliance is able to send the message, the status Message successfully sent is displayed below the button. Failure messages are also displayed below the button, such as errors connecting to the SMS gateway server.
    • To use Time based OTP, you must enable “Use the configured TOTP service” under Authentication servers. For more details, see Configuring Time-Based One-Time Passwords Settings.

    When you are upgrading from prior versions of SMA to 12.4, TOTP service and the configuration information is automatically moved from global configuration to authentication server.

    • Select Use the configured TOTP service option. Password will be generated by the user on their application.
    • In the Service name field, you can configure an individual name for authentication servers. This optional name will be displayed in the application along with the account name to differentiate the service from others that also use TOTP.
    • If you want the user to deregister account, enable Allow user to deregister account. This will provide an option on workplace for user to deregister their account.
    • Backup codes can be used when the user does not have access to their application. Available codes are displayed in WorkPlace. User can generate new codes when needed only once in 24 hours. To provide back up code option to users, enable Use back-up codes.
    • You can configure list of networks where you can restrict registration of users from unauthenticated networks. Click + icon to configure the trusted networks that should be used by the users for the application based TOTP registration.

    If you have not configured any trusted networks, TOTP account registration is allowed from any network.

  11. Click Save.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.