LDAP (Lightweight Directory Access Protocol) authentication provides the means to use an external LDAP server to authenticate the user account credentials when logging in to SecureSync. LDAP allows the login password for user-created accounts to be stored and maintained in a central LDAP or server on the network. This function greatly simplifies password management. Instead of having to change the password in many network appliances when a password needs to be changed, if a user password is changed in the LDAP server, it automatically changes the login password for all of the appliances that are using the LDAP server to authenticate a user login.
In order to use the LDAP authentication capability of SecureSync, it needs to first be configured with the appropriate settings in order to be able to communicate with the LDAP server(s) on the network.
Caution: If you plan on using LDAP, configure it with diligence. If not required, Spectracom recommends to keep LDAP disabled.
Note: Next to the instructions below, this Technical Note contains additional detailed information about LDAP Authentication.
- The LDAP Setup window will display.
- There will be 5 tabs from which to choose:
- Settings: This is where you set up the general LDAP Distinguished Name and Bind settings.
- Security: This is where you upload and manage the CA server certificate, CA client certificate and CA client key.
- Group: This is where you enable/disable group-based authentication.
- Advanced: This is where you set up your search filter(s) and login attribute.
- Servers: This is where you identify the LDAP server to be used.
Under the LDAP Settings tab, set the following parameters:
- Server Type: This must be the correct type—check with your LDAP server administrator if you are not sure which you are using. You have a choice of:
- Active Directory: This will be used when the LDAP server is a Windows server.
- Open LDAP: This will be used when the LDAP server is a Linux/UNIX server.
- Server Base DN: Specifies the default base distinguished name to use for searches. This is the base name to use in the database search. Typically, this is the top-level of the directory tree structure. Your LDAP server administrator will provide this information.
- Bind DN: Enter the Distinguished Name used to bind to (this is an optional field if the database allows anonymous simple authentication). You are able to use any same level of the tree and everything below.
- The bind DN is the user that is permitted to search the LDAP directory within the defined search base. Most of the time, the bind DN will be permitted to search the entire directory. The role of the bind DN is to query the directory using the LDAP query filter (as specified under the Advanced tab) and search base for the DN for authenticating users. When the DN is returned, the DN and password are used to authenticate the user.
- Bind Password: Enter the password to be used to bind with the LDAP Server. Leave this field empty for anonymous simple authentication.
- NSS Password: Enter the passwordThe NSS password is needed for Windows active directory.
The field specifies which directory on the Active Directory server to search for user passwords and other attributes needed.
This field helps to limit the search and make it more direct. Without it the search can take a very long time, or it could not find the information at all if it hits its search limit before finding what its looking for. to be used for
For more information, see page 7 of this Technical Note.
- Port: The port number of the LDAP server (default port numbers: regular LDAP = 389; secure LDAP = 636)
- Checkbox Auto-follow Referrals: Allow the use of LDAP referrals to be utilized in order to access locations that more likely hold a requested object.
Under the LDAP Security tab, you can upload and install the SSL required certificates and NTP client key. If your LDAP server requires secure communications with its "clients" (i.e. the use of SSL), the Server Certificate, the Client Certificate, and the Client Key must be uploaded to SecureSync here.
You may upload a server certificate, a client certificate, or a client key.
- If necessary, create the desired certificate or client key. See NTP Autokey: IFF Autokey Support for information on client keys.
- Click the INFO icon for the certificate you wish to upload.
- In the Certificate window, click the Choose File button.
- Locate and upload the certificate or client key file.
- Click Submit.
The SSL certificates and/or client key you upload will be installed in the
Use the checkbox Enable Security if you want to enable SSL security, i.e. use Secure LDAP.
Use the checkbox Clean Security Certificates to remove all certificates currently stored on SecureSync (e.g., to eliminate expired certificates).
Under the LDAP Group tab, you can filter access by group.
To enable group authentication:
- Select the Enable group filter checkbox.
- Enter information for:
- Required Group—Enter the required group. Example. :
ou=Group, dc=example, dc=com.
- Group Attribute—Enter the group attribute. Example:
- NSS base group—Enter the nss_base group. Example: ou=Group, dc=example, dc=com?one.
- Required Group—Enter the required group. Example. :
- Click the Submit button.
Under the LDAP Advanced tab, you can set the search filter and the LDAP login attribute.
Fill in the following fields, as desired:
- Search filter—This is the LDAP search filter. Example:
- Login Attribute—This is the LDAP login attribute. Example:
- Verify Certificate (checkpeer)—Select this checkbox if you wish to turn on checkpeer authentication.
Under the Servers tab, you manage the LDAP server(s) to be accessed:
Under the LDAP Servers tab, the window displays:
- Server—The hostname(s) or IP address(es) of the LDAP server(s) that have been added.
- Action—After a server has been listed, it can be removed by clicking the X-button.
- LDAP Server Status—This will display one of the following states:
- PASS (green)—An LDAP server that has been set up is available and is able to pass data.
- CONFIGURATION MISSING (red)—No configuration files are available.
- FAILED TO READ DATA (red)—An LDAP server is available but no data was passed.
- FAILED NOT REACHABLE (red)—No LDAP server could be reached.
- LDAP DISABLED—The Enabled checkbox under the Settings tab as not been selected.
- Add additional server—Enter the hostname or IP address of the LDAP server to be queried. You may list multiple servers.