Group Configuration for LDAP Authentication Domains

* 
NOTE: The Microsoft Active Directory database uses an LDAP organization schema. The Active Directory database may be queried using Kerberos authentication (the standard authentication type; this is labeled “Active Directory” domain authentication in the Dell SonicWALL SRA management interface), NTLM authentication (labeled NT Domain authentication in the SRA management interface), or using LDAP database queries. An LDAP domain configured in the SRA management interface can authenticate to an Active Directory server.

Lightweight Directory Access Protocol (LDAP) is a standard for querying and updating a directory. Since LDAP supports a multilevel hierarchy (for example, groups or organizational units), the SRA appliance can query this information and provide specific group policies or bookmarks based on LDAP attributes. By configuring LDAP attributes, the SRA appliance administrator can leverage the groups that have already been configured in an LDAP or Active Directory database, rather than needing to manually recreate the same groups in the SRA appliance.

Once an LDAP authentication domain is created, a default LDAP group will be created with the same name as the LDAP domain name. Although additional groups may be added or deleted from this domain, the default LDAP group may not be deleted. If the user for which you created LDAP attributes enters the Virtual Office home page, the bookmark you created for the group the user is in will display in the Bookmarks Table.

For an LDAP group, you may define LDAP attributes. For example, you can specify that users in an LDAP group must be members of a certain group or organizational unit defined on the LDAP server. Or you can specify a unique LDAP distinguished name.

To add an LDAP attribute for a group so that a user will have a bookmark assigned when entering the Virtual Office environment, perform the following steps:

1
Navigate to the Portals > Domains page and click Add Domain to display the Add New Domain window.
2
Select LDAP from the Authentication Type menu. The LDAP domain configuration fields will be displayed.

3
Enter a descriptive name for the authentication domain in the Domain Name field. This is the domain name users will select in order to log into the SRA user portal. It can be the same value as the Server address field.
4
Enter the IP address or domain name of the server in the Server address field.
5
Enter the search base for LDAP queries in the LDAP baseDN field. An example of a search base string is CN=Users,DC=yourdomain,DC=com.
* 
TIP: It is possible for multiple OUs to be configured for a single domain by entering each OU on a separate line in the LDAP baseDN field. In addition, any sub-OUs will be automatically included when parents are added to this field.
* 
NOTE: Do not include quotes (“”) in the LDAP BaseDN field.
6
Enter the common name of a user that has been delegated control of the container that user will be in along with the corresponding password in the Login user name and Login password fields.
* 
NOTE: When entering Login user name and Login password, remember that the SRA appliance binds to the LDAP tree with these credentials and users can log in with their sAMAccountName.
7
Enter the name of the portal in the Portal name field. Additional layouts may be defined in the Portals > Portals page.
8
Select the Allow password changes (if allowed by LDAP server) check box if you want to be able to change user’s passwords. The admin account must be used when changing user passwords.
9
Select the Delete external user accounts on logout check box to delete users who are not logged into a domain account after they log out.
10
Optionally select the One-time passwords check box to enable the One-time password feature. A drop-down list will appear, in which you can select if configured, required for all users, or using domain name. These are defined as:
if configured - Only users who have a One Time Password email address configured will use the One Time Password feature.
required for all users - All users must use the One Time Password feature. Users who do not have a One Time Password email address configured will not be allowed to login.
using domain name - Users in the domain will use the One Time Password feature. One Time Password emails for all users in the domain will be sent to username@domain.com.
11
If you select One-time passwords, an LDAP e-mail attribute drop-down list appears. Select one of the following:
mail - Select mail if this is the name of your LDAP email attribute.
userPrincipalName - Select userPrincipalName if this is the name of your LDAP email attribute.
custom - Select custom to enter any other LDAP email attribute. Enter the attribute name into the Custom attribute field that appears.
12
Navigate to the Users > Local Groups page and click the configure icon. The Edit Group Settings page is displayed, with fields for LDAP attributes on the General tab.

13
On the General tab, you may optionally fill out one or multiple LDAP Attribute fields with the appropriate names where name=value is the convention for adding a series of LDAP attributes. To see a full list of LDAP attributes, refer to the Dell SonicWALL LDAP Attribute document.

As a common example, fill out an attribute field with the memberOf= attribute which can bundle the following common variable types:

CN= - the common name. DN= - the distinguished name. DC= - the domain component.

You need to provide quote delimiters around the variables you bundle in the memberOf line. You separate the variables by commas. An example of the syntax using the CN and DC variables would be:

memberOf="CN=<string>, DC=<string>"

An example of a line you might enter into the LDAP Attribute field, using the CN and DC variables would be:

memberOf="CN=Terminal Server Computers,CN=Users,DC=sonicwall,DC=net"

14
Type an inactivity timeout value (in minutes) in the Inactivity Timeout field. Enter 0 (zero) to use the global inactivity timeout setting.
15
Under Single Sign-On Settings, in the Automatically log into bookmarks list, select one of the following:
Use global policy – Use the global policy for using SSO to login to bookmarks.
User-controlled (enabled by default for new users) – Enable SSO to login to bookmarks for new users, and allow users to change this setting.
User-controlled (disabled by default for new users) – Disable SSO to login to bookmarks for new users, and allow users to change this setting.
Enabled – Enable SSO to login to bookmarks
Disabled – Disable SSO to login to bookmarks
16
Click Accept when done.

LDAP Attribute Information

When configuring LDAP attributes, the following information may be helpful:
If multiple attributes are defined for a group, all attributes must be met by LDAP users.
LDAP authentication binds to the LDAP tree using the same credentials as are supplied for authentication. When used against Active Directory, this requires that the login credentials provided match the CN (common name) attribute of the user rather than samAccountName (login name). For example, if your NT/Active Directory login name is gkam and your full name is guitar kam, when logging into the SRA appliance with LDAP authentication, the username should be provided in the following ways: If a login name is supplied, that name is used to bind to the tree. If the field is blank, you need to login with the full name. If the field is filled in with a full login name, users will login with the sAMAccountName.
If no attributes are defined, then any user authorized by the LDAP server can be a member of the group.
If multiple groups are defined and a user meets all the LDAP attributes for two groups, then the user will be considered part of the group with the most LDAP attributes defined. If the matching LDAP groups have an equal number of attributes, then the user will be considered a member of the group based on the alphabetical order of the groups.
If an LDAP user fails to meet the LDAP attributes for all LDAP groups configured on the SRA appliance, then the user will not be able to log into the portal. So the LDAP attributes feature not only allows the administrator to create individual rules based on the LDAP group or organization, it also allows the administrator to only allow certain LDAP users to log into the portal.
Example of LDAP Users and Attributes

If a user is manually added to a LDAP group, then the user setting will take precedence over LDAP attributes.

For example, an LDAP attribute objectClass=Person” is defined for group Group1 and an LDAP attribute memberOf=“CN=WINS Users,DC=sonicwall,DC=net” is defined for Group2.

If user Jane is defined by an LDAP server as a member of the Person object class, but is not a member of the WINS Users group, Jane will be a member of SRA appliance Group1.

But if the administrator manually adds the user Jane to SRA appliance Group2, then the LDAP attributes will be ignored and Jane will be a member of Group2.

Sample LDAP Attributes

You may enter up to four LDAP attributes per group. The following are some example LDAP attributes of Active Directory LDAP users:

name="Administrator"
memberOf="CN=Terminal Server Computers,CN=Users,DC=sonicwall,DC=net"
objectClass="user"
msNPAllowDialin="FALSE"

Querying an LDAP Server

If you would like to query your LDAP or Active Directory server to find out the LDAP attributes of your users, there are several different methods. From a machine with ldap search tools (for example a Linux machine with OpenLDAP installed) run the following command:

ldapsearch -h 10.0.0.5 -x -D

"cn=demo,cn=users,dc=sonicwall,dc=net" -w demo123 –b

"dc=sonicwall,dc=net" > /tmp/file

Where:
10.0.0.5 is the IP address of the LDAP or Active Directory server
cn=demo,cn=users,dc=sonicwall,dc=net is the distinguished name of an LDAP user
demo123 is the password for the user demo
dc=sonicwall,dc=net is the base domain that you are querying
> /tmp/file is optional and defines the file where the LDAP query results will be saved.

For instructions on querying an LDAP server from a Window server, refer to:

http://technet.microsoft.com/en-us/library/cc783845(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc731033(v=ws.10).aspx