SonicOS 7.3 Users

Technical Documentation>  About User Management>  Using LDAP/Active Directory/eDirectory Authentication>  LDAP User Group Mirroring
Table of Contents

LDAP User Group Mirroring

LDAP User Group Mirroring provides automatic duplication of LDAP User Group configurations from an LDAP server to a SonicWall network security appliance. You can manage LDAP User Groups exclusively on the LDAP server, eliminating the need to manually duplicate configurations on the firewall. User group configurations are periodically read from the LDAP server and copied to the firewall.

The LDAP user group names that are copied to the firewall include the domain name in the format name@domain.com. This ensures that user group names from various domains are unique.

These features and restrictions apply to mirrored LDAP user groups:

  • You can delete LDAP User Groups only on the LDAP server. You cannot delete the mirrored LDAP User Groups on the SonicWall network security appliance. When a user group is deleted on the LDAP server, its mirrored group on the firewall is also deleted automatically.

  • You can edit LDAP User Group names (and their comment fields) only on the LDAP server. You cannot edit the mirrored LDAP User Group name or its comment field on the firewall. The comment field displays Mirrored from LDAP on the firewall.

  • You can add users as members of an LDAP User Group on the SonicWall Network Security Appliance.

  • You cannot add groups to other groups on the SonicWall network security appliance. Default user groups can only be configured on the LDAP server.

  • You can configure things such as VPNs, SSL VPNs, CFS policies, and ISP policies for LDAP User Groups on the SonicWall network security appliance (for more information about policies, see SonicOS 7 Policies.

    LDAP User Groups are not deleted if they are configured in any Access Rules, App Control Rules, or other policies.

  • When you disable LDAP User Group Mirroring, the mirrored user groups on the SonicWall network security appliance are not deleted. They are changed so you can delete them manually. Local mirrored user groups can be re-enabled if they have not been deleted manually.
  • When the system creates a mirrored group on the SonicWall network security appliance, and the name of the mirrored group matches the name of an already existing, user-created (non-mirrored) local group, the local group is not replaced. The local group memberships are updated to reflect the group settings that are configured on the LDAP server.
  • If the system finds a user group on the LDAP server with a name that is the same as one of the default user groups on the SonicWall Security Appliance, no mirrored user group is created on the SonicWall Security Appliance. The memberships in the default user group are updated to reflect the group settings that are configured on the LDAP server.

  • For groups created before SonicOS 6.2, if a local user group exists on the SonicWall network security appliance with a simple name only (no domain) that matches the name of a user group on the LDAP server (which includes a domain), a new local user group is created on the SonicWall network security appliance and is assigned the same domain as the corresponding user group on the LDAP server. The original local user group is retained with no domain. Users of the original group are given memberships in the LDAP group, the new local mirrored group, and the original local group (with no domain).