查看完整版本: [轉貼]Sonicwall LDAP設定

chun 2011-5-31 10:40

[轉貼]Sonicwall LDAP設定

[url]http://md11boing.pixnet.net/blog/post/18520138[/url]

[url]http://md11boing.pixnet.net/blog/post/18520138[/url]

去年和廠商借了一臺Sonicwall的NSA 2400做測試,過程中在LDAP的設定上卡住許久,後來參考<a href="https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=4060" target="new">https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=4060</a>的做法才順利解決。

1.將DNS Server的第1組IP指定為LDAP Server,也就是Windows AD的所在位置。
<a href="http://1.bp.blogspot.com/_ylGFGEtmd4w/Sdola1h1NMI/AAAAAAAAB5c/BWgcGFqy4yI/s1600-h/s0.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 249px;" src="http://1.bp.blogspot.com/_ylGFGEtmd4w/Sdola1h1NMI/AAAAAAAAB5c/BWgcGFqy4yI/s320/s0.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321607052667466946" /></a>

2.將「Users>Settings」的Authentication method for login項目,由預設的Local Users更改為LDAP+Local Users,同時透過本機資料庫和LDAP驗證使用者身份(主要是VPN)。
<a href="http://1.bp.blogspot.com/_ylGFGEtmd4w/Sdolgt0iN6I/AAAAAAAAB5k/bTWs8h2oXSE/s1600-h/s1.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 249px;" src="http://1.bp.blogspot.com/_ylGFGEtmd4w/Sdolgt0iN6I/AAAAAAAAB5k/bTWs8h2oXSE/s320/s1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321607153677645730" /></a>

3.設定LDAP Server的IP位址,並填入一組網域管理者的帳號、密碼。
<a href="http://2.bp.blogspot.com/_ylGFGEtmd4w/Sdolqxd-ifI/AAAAAAAAB5s/5j5krkAwTLo/s1600-h/s2.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 309px; height: 320px;" src="http://2.bp.blogspot.com/_ylGFGEtmd4w/Sdolqxd-ifI/AAAAAAAAB5s/5j5krkAwTLo/s320/s2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321607326455466482" /></a>

4.LDAP Server的預設類型就是我們所要的Microsoft Active Directory,因此不做更動。
<a href="http://1.bp.blogspot.com/_ylGFGEtmd4w/Sdol-VALyoI/AAAAAAAAB50/U1cMToBFTRc/s1600-h/s3.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 309px; height: 320px;" src="http://1.bp.blogspot.com/_ylGFGEtmd4w/Sdol-VALyoI/AAAAAAAAB50/U1cMToBFTRc/s320/s3.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321607662411696770" /></a>

5.在Primary domain的欄位填入AD網域的完整FQDN,接著點一下User tree for login to server套用變更,最後按一下右下方的Auto-configure鍵,匯入AD樹系中的可用資料(如圖6),就會完成如圖5所示的畫面。
<a href="http://2.bp.blogspot.com/_ylGFGEtmd4w/SdomP3dm2aI/AAAAAAAAB58/go8acD82JXs/s1600-h/s4.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 309px; height: 320px;" src="http://2.bp.blogspot.com/_ylGFGEtmd4w/SdomP3dm2aI/AAAAAAAAB58/go8acD82JXs/s320/s4.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321607963719686562" /></a>

6.圖7~9皆是預設值,不做更動。
<a href="http://3.bp.blogspot.com/_ylGFGEtmd4w/SdomY2pLhrI/AAAAAAAAB6E/m1Lg5LNeyiM/s1600-h/s5.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 237px;" src="http://3.bp.blogspot.com/_ylGFGEtmd4w/SdomY2pLhrI/AAAAAAAAB6E/m1Lg5LNeyiM/s320/s5.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321608118118614706" /></a>

7.
<a href="http://1.bp.blogspot.com/_ylGFGEtmd4w/SdomibrHg1I/AAAAAAAAB6M/LyITCk4Kgoo/s1600-h/s6.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 309px; height: 320px;" src="http://1.bp.blogspot.com/_ylGFGEtmd4w/SdomibrHg1I/AAAAAAAAB6M/LyITCk4Kgoo/s320/s6.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321608282677674834" /></a>

8.
<a href="http://4.bp.blogspot.com/_ylGFGEtmd4w/Sdomp1kEHCI/AAAAAAAAB6U/fVeKL-RnvRE/s1600-h/s7.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 309px; height: 320px;" src="http://4.bp.blogspot.com/_ylGFGEtmd4w/Sdomp1kEHCI/AAAAAAAAB6U/fVeKL-RnvRE/s320/s7.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321608409886497826" /></a>

9.
<a href="http://1.bp.blogspot.com/_ylGFGEtmd4w/SdomyCWweMI/AAAAAAAAB6c/72hJgvGZC1I/s1600-h/s8.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 309px; height: 320px;" src="http://1.bp.blogspot.com/_ylGFGEtmd4w/SdomyCWweMI/AAAAAAAAB6c/72hJgvGZC1I/s320/s8.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321608550759299266" /></a>

10.測試連線設定是否正確,填入一組網域使用者的帳號、密碼並按下Test鍵,如能出現類似圖中畫面,即代表連線成功 ^^。
<a href="http://4.bp.blogspot.com/_ylGFGEtmd4w/Sdom4ayKApI/AAAAAAAAB6k/8KHwcDDvPDI/s1600-h/s9.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 309px; height: 320px;" src="http://4.bp.blogspot.com/_ylGFGEtmd4w/Sdom4ayKApI/AAAAAAAAB6k/8KHwcDDvPDI/s320/s9.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321608660395885202" /></a>

chun 2011-5-31 10:48

Archived: SonicOS: Configuring LDAP Integration in SonicOS Enhanced

Answer/Article
                                                                               
                                                                       
                                                               
                                                       
                                               
                                               
                                               
                                                       
                                                               
                                                               
                                                               
                                                                       
                                                                       
                                                                               
                                                                                        <p><strong><font size="3">&nbsp;Preparing Your LDAP Server for Integration</font></strong></p>
<p>Integrating your SonicWALL appliance with an LDAP directory service
requires configuring your LDAP server for certificate management,
installing the correct certificate on your SonicWALL appliance, and
configuring the SonicWALL appliance to use the information from the LDAP
Server.</p>
<p>Before beginning your LDAP configuration, you should prepare your
LDAP server and your SonicWALL for LDAP over TLS support. This requires:</p>
<p>
</p><p>&nbsp;</p>

<ul><li>
    <div><font face="Arial" size="2">Installing a server certificate on your LDAP server.</font></div>
    </li><li><font face="Arial" size="2">Installing a CA (Certificate Authority) certificate for the issuing CA on your SonicWALL appliance. </font>
    <p align="left"><font face="Arial" size="2">The following procedures describe how to perform these tasks in an Active Directory environment.</font></p>
    <font face="Arial" size="2"><font face="Arial" size="2">
    <p align="left"><strong><u>Configuring the CA on the Active Directory Server</u></strong></p>
    </font></font>
    <p align="left"><font face="Arial" size="2"><font face="Arial" size="2">To configure the CA on the Active Directory server (skip the first five steps if Certificate Services are already installed):</font></font></p>
    <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Step 1</strong> Navigate to <strong>Start &gt; Settings &gt; Control Panel &gt; Add/Remove Programs</strong><br>
    <strong>Step 2</strong> Select <strong>Add/Remove Windows Components</strong><br>
    <strong>Step 3</strong> Select <strong>Certificate Services<br>
    Step 4</strong> Select <strong>Enterprise Root CA </strong>when prompted.<br>
    <strong>Step 5</strong> Enter the requested information. For information about certificates on Windows systems, see <font color="#0000ff" face="Arial" size="2"><a href="http://support.microsoft.com/kb/931125">http://support.microsoft.com/kb/931125</a></font><font face="Arial" size="2">.<br>
    </font><font face="Arial" size="2"><strong>Step 6</strong> Launch the <strong>Domain Security Policy</strong> application: Navigate to <strong>Start &gt; Run</strong> and run the command: <strong>dompol.msc</strong>.<br>
    <strong>Step 7</strong> Open <strong>Security Settings &gt; Public Key Policies</strong>.<br>
    <strong>Step 8</strong> Right click <strong>Automatic Certificate Request</strong> <strong>Settings.</strong><br>
    <strong>Step 9</strong> Select <strong>New &gt; Automatic Certificate</strong> <strong>Request.<br>
    Step 10</strong> Step through the wizard, and select <strong>Domain Controller</strong> from the list.</font></font></font></p>
    <font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">
    <p align="left"><strong><u>Exporting the CA Certificate from the Active Directory Server</u></strong></p>
    </font><font face="Arial" size="2">
    <p align="left">To export the CA certificate from the AD server:</p>
    <p><font face="Arial" size="2"><strong>Step 1</strong> Launch the <strong>Certification Authority</strong> application: <strong>Start &gt; Run &gt; certsrv.msc</strong>.<br>
    <strong>Step 2</strong> Right click on the CA you created, and select <strong>properties.<br>
    Step 3</strong> On the <strong>General</strong> tab, click the <strong>View Certificate</strong> button.<br>
    <strong>Step 4</strong> On the <strong>Details</strong> tab, select <strong>Copy to File</strong>.<br>
    <strong>Step 5</strong> Step through the wizard, and select the <strong>Base-64 Encoded X.509 (.cer)</strong> format.<br>
    <strong>Step 6</strong> Specify a path and filename to which to save the certificate.</font></p>
    </font><font face="Arial" size="2">
    <p align="left"><strong><u>Importing the CA Certificate onto the SonicWALL</u></strong></p>
    </font></font></font>
    <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">To import the CA certificate onto the SonicWALL:</font></font></font></p>
    <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Step 1</strong> Browse to <strong>System &gt; CA Certificates</strong>.<br>
    <strong>Step 2</strong> Select <strong>Add new CA certificate</strong>. Browse to and select the certificate file you just exported.<br>
    <strong>Step 3</strong> Click the <strong>Import certificate</strong> button.</font></font></font></p>
    <font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="4">
    <p align="left">Configuring the SonicWALL Appliance for LDAP</p>
    </font><font face="Arial" size="2">
    <p align="left">The <font face="Arial" size="2"><strong>Users &gt; Settings</strong> </font><font face="Arial" size="2">page in the administrative interface provides the settings for managing your LDAP integration:</font></p>
    </font></font></font></font>
    <p><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Step 1</strong> In the SonicOS administrative interface, open the <strong>Users &gt; Settings page</strong>.<br>
    </font><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><br>
    <strong>Step 2</strong> In the <strong>Authentication method</strong> for login drop-down list, select either <strong>LDAP or LDAP + Local Users</strong>.</font></font></font></font></font></font></font></p>
    <p><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><img alt="Authentication Method for Login drop down list" src="https://www.fuzeqna.com/sonicwallkb/includes/customer/sonicwallkb/uploadfiles/Image/Configuring%20LDAP%20Integration%20in%20SonicOS%20Enhanced%20-%20KBID%204060/KBID4060%20Image1.JPG" height="86" width="360"><br>
    <br>
    <strong>Step 3</strong> Click <strong>Configure</strong>.<br>
    <br>
    <strong>Step 4</strong> If you are connected to your SonicWALL
appliance via HTTP rather than HTTPS, you will see a dialog box warning
you of the sensitive nature of the information stored in directory
services and offering to change your connection to HTTPS. If you have
HTTPS management enabled for the interface to which you are connected
(recommended), click <strong>Yes</strong>.</font></font></font></font></font></font></font></p>
    <p><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><img alt="HTTPS dialog box" src="https://www.fuzeqna.com/sonicwallkb/includes/customer/sonicwallkb/uploadfiles/Image/Configuring%20LDAP%20Integration%20in%20SonicOS%20Enhanced%20-%20KBID%204060/KBID4060%20Image2.JPG" height="108" width="225"><br>
    <br>
    <strong>Step 5</strong> On the <strong>Settings</strong> tab of the LDAP Configuration window, configure the following fields:</font>&nbsp;</font></font></font>&nbsp;</font></font></font></p>
    <p><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><img alt="Settings Tab" src="https://www.fuzeqna.com/sonicwallkb/includes/customer/sonicwallkb/uploadfiles/Image/Configuring%20LDAP%20Integration%20in%20SonicOS%20Enhanced%20-%20KBID%204060/KBID4060%20Image3.JPG"></font></font></font></p>
    <ul><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">
        <li><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Name or IP Address</strong>
– The FQDN or the IP address of the LDAP server against which you wish
to authenticate. If using a name, be certain that it can be resolved by
your DNS server. Also, if using TLS with the ‘Require valid certificate
from server’ option, the name provided here must match the name to which
the server certificate was issued (i.e. the CN) or the TLS exchange
will fail.<br>
        </font></font></font></font></font></li>
        <li><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Port Number</strong>
– The default LDAP over TLS port number is TCP 636. The default LDAP
(unencrypted) port number is TCP 389. If you are using a custom
listening port on your LDAP server, specify it here.<br>
        </font></font></font></font></font></li>
        <li><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Server timeout</strong>
– The amount of time, in seconds, that the SonicWALL will wait for a
response from the LDAP server before timing out. Allowable ranges are 1
to 99999 (in case you’re running your LDAP server on a VIC-20 located on
the moon), with a default of 10 seconds.<br>
        </font></font></font></font></font></li>
        <li><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Anonymous Login</strong>
– Some LDAP servers allow for the tree to be accessed anonymously. If
your server supports this (Active Directory generally does not), then
you may select this option.<br>
        </font></font></font></font></font></li>
        <li><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Login user name</strong>
– Specify a user name that has rights to log in to the LDAP directory.
The login name will automatically be presented to the LDAP server in
full ‘dn’ notation. This can be any account with LDAP read privileges
(essentially any user account) – Administrative privileges are not
required. Note that this is the user’s name, not their login ID (e.g.
John Smith rather than jsmith).<br>
        </font></font></font></font></font></li>
        <li><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Login password –</strong> The password for the user account specified above.<br>
        </font></font></font></font></font></li>
        <li><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Protocol version</strong> – Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP, including Active Directory, employ LDAPv3.<br>
        </font></font></font></font></font></li>
        <li><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Use TLS</strong>
– Use Transport Layer Security (SSL) to log in to the LDAP server. It
is strongly recommended that TLS be used to protected the username and
password information that will be sent across the network. Most modern
implementations of LDAP server, including Active Directory, support TLS.
Deselecting this default setting will display an alert that you must
accept to proceed.<br>
        </font></font></font></font></font></li>
        <li><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>S</strong></font></font></font></font></font><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>end LDAP ‘Start TLS’ Request</strong>
– Some LDAP server implementations support the Start TLS directive
rather than using native LDAP over TLS. This allows the LDAP server to
listen on one port (normally 389) for LDAP connections, and to switch to
TLS as directed by the client. Active Directory does not use this
option, and it should only be selected if required by your LDAP server.<br>
        </font></font></font></font></font></li>
        <li><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Require valid certificate from server</strong>
– Validates the certificate presented by the server during the TLS
exchange, matching the name specified above to the name on the
certificate. Deselecting this default option will present an alert, but
exchanges between the SonicWALL and the LDAP server will still use TLS –
only without issuance validation.<br>
        </font></font></font></font></font></li>
        <li><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Local certificate for TLS</strong>
– Optional, to be used only if the LDAP server requires a client
certificate for connections. Useful for LDAP server implementations that
return passwords to ensure the identity of the LDAP client (Active
Directory does not return passwords). This setting is not required for
Active Directory.<br>
        </font></font></font></font><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><br>
        If your network uses multiple LDAP/AD servers with referrals,
then select one as the primary server (probably the one that holds the
bulk of the users) and use the above settings for that server. It will
then refer the SonicWALL on to the other servers for users in domains
other than its own. For the SonicWALL to be able to log in to those
other servers, each server must have a user configured with the same
credentials (user name, password and location in the directory) as the
login to the primary server. This may entail creating a special user in
the directory for the SonicWALL login. Note that only read access to the
directory is required.</font></font></font></font></font></li>
        </font></font></font></ul>
        <p><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Step 6</strong> On the <strong>Schema</strong> tab, configure the following fields:</font>&nbsp;</font></font></font>&nbsp;&nbsp;</font></font></font></p>
        <p><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><img alt="Schema Tab" src="https://www.fuzeqna.com/sonicwallkb/includes/customer/sonicwallkb/uploadfiles/Image/Configuring%20LDAP%20Integration%20in%20SonicOS%20Enhanced%20-%20KBID%204060/KBID4060%20Image4.JPG" height="298" width="330"></font></font></font></p>
        <ul><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">
            <li>
            <p align="left"><font face="Arial" size="2"><strong>LDAP Schema</strong> – Select one of the following:<br>
            <br>
            – Microsoft Active Directory<br>
            – RFC2798 inetOrgPerson<br>
            – RFC2307 Network Information Service<br>
            – Samba SMB<br>
            – Novell eDirectory<br>
            – User defined<br>
            <br>
            Selecting any of the predefined schemas will automatically
populate the fields used by that schema with their correct values.
Selecting User defined will allow you to specify your own values – use
this only if you have a specific or proprietary LDAP schema
configuration.</font></p>
            </li>
            <li>
            <p align="left"><font face="Arial" size="2"><strong>Object class</strong> – Select the attribute that represents the individual user account to which the next two fields apply.</font></p>
            </li>
            <li>
            <p align="left"><font face="Arial" size="2"><strong>Login name attribute</strong> – Select one of the following to define the attribute that is used for login authentication:<br>
            <br>
            – <strong>sAMAccountName</strong> for Microsoft Active Directory<br>
            – <strong>inetOrgPerson</strong> for RFC2798 inetOrgPerson<br>
            – <strong>posixAccount</strong> for RFC2307 Network Information Service<br>
            – <strong>sambaSAMAccount</strong> for Samba SMB<br>
            – <strong>inetOrgPerson</strong> for Novell eDirectory</font></p>
            </li>
            <li>
            <p align="left"><font face="Arial" size="2"><strong>Qualified login name attribute</strong> – Optionally select an attribute of a user object that sets an alternative login name for the user in <a href="mailto:name@domain">name@domain</a>
format. This may be needed with multiple domains in particular, where
the simple login name may not be unique across domains. This is set to <strong>mail</strong> for Microsoft Active Directory and RFC2798 inetOrgPerson.</font></p>
            </li>
            <li>
            <p align="left"><font face="Arial" size="2"><strong>User group membership attribute</strong> – Select the attribute that contains information about the groups to which the user object belongs. This is <strong>memberOf</strong>
in Microsoft Active Directory. The other pre-defined schemas store
group membership information in the group object rather than the user
object, and therefore do not use this field.</font></p>
            </li>
            <li>
            <p align="left"><font face="Arial" size="2"><strong>Framed IP address attribute</strong>
– Select the attribute that can be used to retrieve a static IP address
that is assigned to a user in the directory. Currently it is only used
for a user connecting via L2TP with the SonicWALL’s L2TP server. In the
future this may also be supported for Global VPN Client. In Active
Directory the static IP address is configured on the Dial-in tab of a
user’s properties.</font></p>
            </li>
            </font></font></font></ul>
            <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Step 7</strong> On the <strong>Directory tab</strong>, configure the following fields:</font></font></font></font></p>
            <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><img alt="Directory Tab" src="https://www.fuzeqna.com/sonicwallkb/includes/customer/sonicwallkb/uploadfiles/Image/Configuring%20LDAP%20Integration%20in%20SonicOS%20Enhanced%20-%20KBID%204060/KBID4060%20Image5.JPG" height="297" width="329"></font></font></font></font></p>
            <ul><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">
                <li>
                <div align="left"><font face="Arial" size="2"><strong>Primary Domain</strong>
– The user domain used by your LDAP implementation. For AD, this will
be the Active Directory domain name, e.g. yourADdomain.com. Changes to
this field will, optionally, automatically update the tree information
in the rest of the page. This is set to mydomain.com by default for all
schemas except Novell eDirectory, for which it is set to o=mydomain.</font></div>
                </li>
                <li>
                <div align="left"><font face="Arial" size="2"><strong>User tree for login to server</strong>
– The tree in which the user specified in the Settings tab resides. For
example, in Active Directory the ‘administrator’ account’s default tree
is the same as the user tree.<br>
                </font></div>
                </li>
                <li>
                <div align="left"><font face="Arial" size="2"><strong>Trees containing users</strong>
– The trees where users commonly reside in the LDAP directory. One
default value is provided which can be edited, and up to a total of 64
DN values may be provided. The SonicWALL will search the directory using
them all until a match is found, or the list is exhausted. If you have
created other user containers within your LDAP or AD directory, you
should specify them here.<br>
                </font></div>
                </li>
                <li>
                <div align="left"><font face="Arial" size="2"><strong>Trees containing user groups</strong>
– Same as above, only with regard to user group containers, and a
maximum of 32 DN values may be provided. These are only applicable when
there is no user group membership attribute in the schema's user object,
and are not used with AD. <br>
                <br>
                All the above trees are normally given in URL format but
can alternatively be specified as distinguished names (e.g.
“myDom.com/Sales/Users” could alternatively be given as the DN&nbsp;<font face="Arial" size="2">"</font><em><font face="Arial" size="2">ou=Users,ou=Sales,dc=myDom,dc=com</font></em><font face="Arial" size="2">").</font>&nbsp;The
latter form will be necessary if the DN does not conform to the normal
formatting rules as per that example. In Active Directory the URL
corresponding to the distinguished name for a tree is displayed on the
Object tab in<br>
                the properties of the container at the top of the tree.</font></div>
                </li>
                </font></font></font></ul>
                <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Note:&nbsp;</strong>
AD has some built-in containers that do not conform (e.g. the DN for
the top level Users container is formatted as “cn=Users,dc=…”, using
‘cn’ rather than ‘ou’) but the SonicWALL knows about and deals with
these, so they can be entered in the simpler URL format.</font></font></font></font></p>
                <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">Ordering
is not critical, but since they are searched in the given order it is
most efficient to place the most commonly used trees first in each list.
If referrals between multiple LDAP servers are to be used, then the
trees are best ordered with those on the primary server first, and the
rest in the same order that they will be referred.</font></font></font></font></p>
                <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Note:</strong>
When working with AD, to determine the location of a user in the
directory for the ‘User tree for login to server’ field, the directory
can be searched manually from the Active Directory Users and Settings
control panel applet on the server, or a directory search utility such
as queryad.vbs in the Windows NT/2000/XP Resource Kit can be run from
any PC in the domain.</font></font></font></font></p>
                <ul><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">
                    <li>
                    <div align="left">
                    <p><font face="Arial" size="2"><strong>Auto-configure</strong> – This causes the SonicWALL to auto-configure the <strong>Trees containing</strong> <strong>users</strong> and <strong>Trees containing user groups</strong>
fields by scanning through the directory/ directories looking for all
trees that contain user objects. To use auto-configure, first enter a
value in the <strong>User tree for login to server</strong> field (unless anonymous login is set), and then click the <strong>Auto-configure</strong> button to bring up the following dialog:</font></p>
                    <p><font face="Arial" size="2"><img alt="Auto Configuration Dialog Box" src="https://www.fuzeqna.com/sonicwallkb/includes/customer/sonicwallkb/uploadfiles/Image/Configuring%20LDAP%20Integration%20in%20SonicOS%20Enhanced%20-%20KBID%204060/KBID4060%20Image6.JPG" height="183" width="267"></font></p>
                    </div>
                    </li>
                    </font></font></font></ul>
                    <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">In the Auto Configure dialog box, enter the desired domain in the Domain to search field. Select one of the following:<br>
                    <br>
                    – <strong>Append to existing trees</strong> – This selection will append newly located trees to the current configuration.<br>
                    – <strong>Replace existing trees</strong> – This selection will start from scratch removing all currently configured trees first.</font></font></font></font></p>
                    <ul><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">
                        <li><font face="Arial" size="2">Click <strong>OK.<br>
                        </strong>The auto-configuration process may also locate trees that are not needed for user login.<br>
                        You can manually remove these entries.</font></li>
                        </font></font></font></ul>
                        <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the <strong>Domain to search</strong> value accordingly and selecting <strong>Append to existing trees</strong> on each subsequent run.</font></font></font></font></p>
                        <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Step 8</strong> On the <strong>LDAP Users</strong> tab, configure the following fields:</font></font></font></font></p>
                        <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><img alt="LDAP Users tab" src="https://www.fuzeqna.com/sonicwallkb/includes/customer/sonicwallkb/uploadfiles/Image/Configuring%20LDAP%20Integration%20in%20SonicOS%20Enhanced%20-%20KBID%204060/KBID4060%20Image7.JPG" height="352" width="400"></font></font></font></font></p>
                        <ul><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">
                            <li>
                            <div><font face="Arial" size="2">Allow only
users listed locally – Requires that LDAP users also be present in the
SonicWALL local user database for logins to be allowed.<br>
                            </font></div>
                            </li>
                            <li>
                            <div><font face="Arial" size="2">User group
membership can be set locally by duplicating LDAP user names – Allows
for group membership (and privileges) to be determined by the
intersection of local user and LDAP user configurations.<br>
                            </font></div>
                            </li>
                            <li>
                            <div><font face="Arial" size="2">Default
LDAP User Group – A default group on the SonicWALL to which LDAP users
will belong in addition to group memberships configured on the LDAP
server.<br>
                            </font></div>
                            </li>
                            <li>
                            <div>
                            <p><font face="Arial" size="2">Import user
groups – You can click this button to configure user groups on the
SonicWALL by retrieving the user group names from your LDAP server. The
Import user groups button launches a dialog box containing the list of
user group names available for import to the SonicWALL.</font></p>
                            <p><font face="Arial" size="2"><img alt="Import User Groups" src="https://www.fuzeqna.com/sonicwallkb/includes/customer/sonicwallkb/uploadfiles/Image/Configuring%20LDAP%20Integration%20in%20SonicOS%20Enhanced%20-%20KBID%204060/KBID4060%20Image8.JPG" height="510" width="411"></font></p>
                            </div>
                            </li>
                            </font></font></font></ul>
                            <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">In
the LDAP Import User Groups dialog box, select the checkbox for each
group that you want to import into the SonicWALL, and then click Save.</font></font></font></font></p>
                            <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">Having
user groups on the SonicWALL with the same name as existing LDAP/AD
user groups allows SonicWALL group memberships and privileges to be
granted upon successful LDAP authentication.</font></font></font></font></p>
                            <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">Alternatively,
you can manually create user groups on the LDAP/AD server with the same
names as SonicWALL built-in groups (such as ‘Guest Services’, ‘Content
Filtering Bypass’, ‘Limited Administrators’) and assign users to these
groups in the directory. This also allows SonicWALL group memberships to
be granted upon successful LDAP authentication.</font></font></font></font></p>
                            <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">The
SonicWALL appliance can retrieve group memberships efficiently in the
case of Active Directory by taking advantage of its unique trait of
returning a ‘memberOf’ attribute for a user.</font></font></font></font></p>
                            <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Step 9</strong> On the <strong>LDAP Relay</strong> tab, configure the following fields:</font></font></font></font></p>
                            <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><img alt="LDAP Relay Tab" src="https://www.fuzeqna.com/sonicwallkb/includes/customer/sonicwallkb/uploadfiles/Image/Configuring%20LDAP%20Integration%20in%20SonicOS%20Enhanced%20-%20KBID%204060/KBID4060%20Image9.JPG" height="297" width="330"></font></font></font></font></p>
                            <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">The
RADIUS to LDAP Relay feature is designed for use in a topology where
there is a central site with an LDAP/AD server and a central SonicWALL
with remote satellite sites connected into it via low-end SonicWALL
security appliances that may not support LDAP. In that case the central
SonicWALL can operate as a RADIUS server for the remote SonicWALLs,
acting as a gateway between RADIUS and LDAP, and relaying authentication
requests from them to the LDAP server.</font></font></font></font></p>
                            <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">Additionally,
for remote SonicWALLs running non-enhanced firmware, with this feature
the central SonicWALL can return legacy user privilege information to
them based on user group memberships learned via LDAP. This avoids what
can be very complex configuration of an external RADIUS server such as
IAS for those SonicWALLs.</font></font></font></font></p>
                            <ul><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">
                                <li>
                                <div><font face="Arial" size="2"><strong>Enable RADIUS to LDAP Relay</strong> – Enables this feature.<br>
                                </font></div>
                                </li>
                                <li>
                                <div><font face="Arial" size="2"><strong>Allow RADIUS clients to connect via</strong> – Check the relevant checkboxes and policy rules will be added to allow incoming RADIUS requests accordingly.<br>
                                </font></div>
                                </li>
                                <li>
                                <div><font face="Arial" size="2"><strong>RADIUS shared secret</strong> – This is a shared secret common to all remote SonicWALLs.<br>
                                </font></div>
                                </li>
                                <li>
                                <div><font face="Arial" size="2"><strong>User groups for legacy VPN users</strong>
– Defines the user group that corresponds to the legacy ‘Access to
VPNs’ privileges. When a user in this user group is authenticated, the
remote SonicWALL is notified to give the user the relevant privileges.<br>
                                </font></div>
                                </li>
                                <li>
                                <div><font face="Arial" size="2"><strong>User groups for legacy VPN client users</strong>
– Defines the user group that corresponds to the legacy ‘Access from
VPN client with XAUTH’ privileges. When a user in this user group is
authenticated, the remote SonicWALL is notified to give the user the
relevant privileges.<br>
                                </font></div>
                                </li>
                                <li>
                                <div><font face="Arial" size="2"><strong>User groups for legacy L2TP users</strong>
– Defines the user group that corresponds to the legacy ‘Access from
L2TP VPN client’ privileges. When a user in this user group is
authenticated, the remote SonicWALL is notified to give the user the
relevant privileges.<br>
                                </font></div>
                                </li>
                                <li>
                                <div><font face="Arial" size="2"><strong>User groups for legacy users with Internet access</strong>
– Defines the user group that corresponds to the legacy ‘Allow Internet
access (when access is restricted)’ privileges. When a user in this
user group is authenticated, the remote SonicWALL is notified to give
the user the relevant privileges.</font></div>
                                </li>
                                </font></font></font></ul>
                                <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Note:</strong>
The ‘Bypass filters’ and ‘Limited management capabilities’ privileges
are returned based on membership to user groups named ‘Content Filtering
Bypass’ and ‘Limited Administrators’ – these are not configurable.</font></font></font></font></p>
                                <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><strong>Step 10</strong> Select the <strong>Test</strong> tab to test the configured LDAP settings:</font></font></font></font></p>
                                <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><img alt="Test Tab" src="https://www.fuzeqna.com/sonicwallkb/includes/customer/sonicwallkb/uploadfiles/Image/Configuring%20LDAP%20Integration%20in%20SonicOS%20Enhanced%20-%20KBID%204060/KBID4060%20Image10.JPG" height="349" width="398"></font></font></font></font></p>
                                <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">The <strong>Test LDAP Settings</strong>
page allows for the configured LDAP settings to be tested by attempting
authentication with specified user and password credentials. Any user
group memberships and/or framed IP address configured on the LDAP/AD
server for the user will be displayed.</font></font></font></font></p>
                                <p align="left"><font face="Arial" size="2"><font face="Arial" size="2"><font face="Arial" size="2">&nbsp;<font size="1">Source: Excerpt from SonicOS Enhanced 4.0 Administrations Guide</font>&nbsp;&nbsp; </font></font></font></p>
                                </li></ul>
頁: [1]
查看完整版本: [轉貼]Sonicwall LDAP設定