Configuring LDAP with Digital Certificates

To configure an LDAP authentication server with digital certificates

1. In the AMC, navigate to System Configuration > Authentication Servers.

2. Click New.

3. Under Authentication directory, click LDAP.

4. In the Name field, type a name for the authentication server.

5. Complete the information listed under General

   

   1. In the Primary LDAP server field, type the host name or IP address of your LDAP server. If you are using a failover server (optional), specify its address in the Secondary LDAP server field.

   2. If the LDAP server is listening on a something other than the well-known port (389 for unencrypted LDAP connections, or 636 for SSL connections), specify a port number as a colon-delimited suffix (for example, myldap.example.com:1300).

   3. In the Login DN field, type the distinguished name (DN) used to establish a connection with the LDAP server.

   4. In the Password field, type the password used to establish a connection with the LDAP server.

   5. In the Search base field, type the point in the LDAP directory from which you want to begin searching for user information. This will usually be the lowest point in the directory advanced that contains user information. For example, you might type ou=Users,o=xyz.com. The user binding to the LDAP directory must have permissions to view the directory at this level.
   6. Select Trust intermediate CAs without verifying the entire chain option to trust certificates signed by intermediate Certificate Authorities (CAs) without requiring a full validation of the entire certificate chain back to a trusted root CA. By enabling this option, you can streamline the certificate validation process, making it easier to manage certificates, especially in environments where only specific intermediate CAs are trusted.
6.  Complete the information listed under Matching LDAP attributes

   

   1. In the Certificate attribute enter the LDAP attribute used to store user certificates, typically labeled as userCertificate;binary.
   2. In the Attribute mapping enter the user ID in a digital certificate (cn or uid) to the corresponding ID in an LDAP directory, ensuring consistent identity information for authentication and authorization.
   3.  In the Username attribute field enter the user's distinguished name (DN) used for single sign-on (SSO). It helps the system recognize and verify the user by checking specific information, like a username or email address, during login.

7. Complete the information listed under Group lookup:

   

   • To enable group checking on this server, select the Use this authentication server to check group membership checkbox. When this checkbox is unchecked, the nested controls are disabled because they apply only to group checking behavior. This checkbox, when unselected, allows an authentication server for LDAP, AD, or AD-Advanced to be configured without enabling it for authorization checks. This improves efficiency by allowing better stacked/affinity authentication support.
   • If you want the LDAP search to determine a user’s group membership by searching the group attribute in the user container, select the Find groups in which a user is a member checkbox and then type the Group attribute. This attribute is most often memberOf. Do not select this checkbox unless attribute-based groups are supported by and enabled on your LDAP server.
   • If your LDAP server does not support attribute-based groups or you have not enabled this functionality, you can select the Look in static groups for user members checkbox; to specify the depth of the search (how many sub-groups to include in the search), enter a number in the Nested group lookup checkbox. Be aware that this type of search can take some time because it requires searching the entire LDAP advanced; enabling Cache group checking is highly recommended.
   • To reduce the load on your directory and get better performance, cache the attribute group or static group search results. Select the Cache group checking checkbox and then specify a Cache lifetime, in seconds. The default value is 1800 seconds (30 minutes).

8. To secure the LDAP connection with SSL, complete the information under LDAP over SSL:

   

   • To secure the LDAP connection with SSL, select the Use SSL to secure LDAP connection checkbox.

   • View your certificate details and verify that the root certificate can be used by the appliance. See Importing CA Certificates for details.

   • To configure the appliance to verify that the LDAP host name is the same as the name in the certificate presented by the LDAP server, select the Match certificate CN against LDAP server name checkbox. Typically, your server name will match the name specified in its digital certificate. If this is the case with your server, SonicWall recommends enabling this option in a production environment. This makes it more difficult for an unauthorized server to masquerade as your LDAP server if your digital certificate or DNS server is compromised.

9. Optionally, complete the information listed under Advanced.

   

   • When an LDAP server cannot answer a client’s query, you can refer it to other LDAP servers by selecting the Enable LDAP referrals checkbox. Use caution when enabling this feature because it can slow down the authentication process. If you are configuring LDAP to authenticate against Microsoft Active Directory, you may want to disable this feature.

10. Click Save.