reparing Your LDAP Server for Integration
Integrating your SonicWALL appliance with an LDAP directory service requires configuring your LDAP server for certificate management, installing the correct certificate on your SonicWALL appliance, and configuring the SonicWALL appliance to use the information from the LDAP Server.
Before beginning your LDAP configuration, you should prepare your LDAP server and your SonicWALL for LDAP over TLS support. This requires:
The following procedures describe how to perform these tasks in an Active Directory environment.
Configuring the CA on the Active Directory Server
To configure the CA on the Active Directory server (skip the first five steps if Certificate Services are already installed):
Step 1 Navigate to Start > Settings > Control Panel > Add/Remove Programs
Step 2 Select Add/Remove Windows Components
Step 3 Select Certificate Services
Step 4 Select Enterprise Root CA when prompted.
Step 5 Enter the requested information. For information about certificates on Windows systems, see http://support.microsoft.com/kb/931125.
Step 6 Launch the Domain Security Policy application: Navigate to Start > Run and run the command: dompol.msc.
Step 7 Open Security Settings > Public Key Policies.
Step 8 Right click Automatic Certificate Request Settings.
Step 9 Select New > Automatic Certificate Request.
Step 10 Step through the wizard, and select Domain Controller from the list.
Exporting the CA Certificate from the Active Directory Server
To export the CA certificate from the AD server:
Step 1 Launch the Certification Authority application: Start > Run > certsrv.msc.
Step 2 Right click on the CA you created, and select properties.
Step 3 On the General tab, click the View Certificate button.
Step 4 On the Details tab, select Copy to File.
Step 5 Step through the wizard, and select the Base-64 Encoded X.509 (.cer) format.
Step 6 Specify a path and filename to which to save the certificate.
Importing the CA Certificate onto the SonicWALL
To import the CA certificate onto the SonicWALL:
Step 1 Browse to System > CA Certificates.
Step 2 Select Add new CA certificate. Browse to and select the certificate file you just exported.
Step 3 Click the Import certificate button.
Configuring the SonicWALL Appliance for LDAP
The Users > Settings page in the administrative interface provides the settings for managing your LDAP integration:
Step 1 In the SonicOS administrative interface, open the Users > Settings page.
Step 2 In the Authentication method for login drop-down list, select either LDAP or LDAP + Local Users.
Step 3 Click Configure.
Step 4 If you are connected to your SonicWALL
appliance via HTTP rather than HTTPS, you will see a dialog box warning
you of the sensitive nature of the information stored in directory
services and offering to change your connection to HTTPS. If you have
HTTPS management enabled for the interface to which you are connected
(recommended), click Yes.
Step 5 On the Settings tab of the LDAP Configuration window, configure the following fields:
Step 6 On the Schema tab, configure the following fields:
LDAP Schema – Select one of the following:
– Microsoft Active Directory
– RFC2798 inetOrgPerson
– RFC2307 Network Information Service
– Samba SMB
– Novell eDirectory
– User defined
Selecting any of the predefined schemas will automatically
populate the fields used by that schema with their correct values.
Selecting User defined will allow you to specify your own values – use
this only if you have a specific or proprietary LDAP schema
configuration.
Object class – Select the attribute that represents the individual user account to which the next two fields apply.
Login name attribute – Select one of the following to define the attribute that is used for login authentication:
– sAMAccountName for Microsoft Active Directory
– inetOrgPerson for RFC2798 inetOrgPerson
– posixAccount for RFC2307 Network Information Service
– sambaSAMAccount for Samba SMB
– inetOrgPerson for Novell eDirectory
Qualified login name attribute – Optionally select an attribute of a user object that sets an alternative login name for the user in name@domain format. This may be needed with multiple domains in particular, where the simple login name may not be unique across domains. This is set to mail for Microsoft Active Directory and RFC2798 inetOrgPerson.
User group membership attribute – Select the attribute that contains information about the groups to which the user object belongs. This is memberOf in Microsoft Active Directory. The other pre-defined schemas store group membership information in the group object rather than the user object, and therefore do not use this field.
Framed IP address attribute – Select the attribute that can be used to retrieve a static IP address that is assigned to a user in the directory. Currently it is only used for a user connecting via L2TP with the SonicWALL’s L2TP server. In the future this may also be supported for Global VPN Client. In Active Directory the static IP address is configured on the Dial-in tab of a user’s properties.
Step 7 On the Directory tab, configure the following fields:
Note: AD has some built-in containers that do not conform (e.g. the DN for the top level Users container is formatted as “cn=Users,dc=…”, using ‘cn’ rather than ‘ou’) but the SonicWALL knows about and deals with these, so they can be entered in the simpler URL format.
Ordering is not critical, but since they are searched in the given order it is most efficient to place the most commonly used trees first in each list. If referrals between multiple LDAP servers are to be used, then the trees are best ordered with those on the primary server first, and the rest in the same order that they will be referred.
Note: When working with AD, to determine the location of a user in the directory for the ‘User tree for login to server’ field, the directory can be searched manually from the Active Directory Users and Settings control panel applet on the server, or a directory search utility such as queryad.vbs in the Windows NT/2000/XP Resource Kit can be run from any PC in the domain.
Auto-configure – This causes the SonicWALL to auto-configure the Trees containing users and Trees containing user groups fields by scanning through the directory/ directories looking for all trees that contain user objects. To use auto-configure, first enter a value in the User tree for login to server field (unless anonymous login is set), and then click the Auto-configure button to bring up the following dialog:
In the Auto Configure dialog box, enter the desired domain in the Domain to search field. Select one of the following:
– Append to existing trees – This selection will append newly located trees to the current configuration.
– Replace existing trees – This selection will start from scratch removing all currently configured trees first.
If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the Domain to search value accordingly and selecting Append to existing trees on each subsequent run.
Step 8 On the LDAP Users tab, configure the following fields:
Import user groups – You can click this button to configure user groups on the SonicWALL by retrieving the user group names from your LDAP server. The Import user groups button launches a dialog box containing the list of user group names available for import to the SonicWALL.
In the LDAP Import User Groups dialog box, select the checkbox for each group that you want to import into the SonicWALL, and then click Save.
Having user groups on the SonicWALL with the same name as existing LDAP/AD user groups allows SonicWALL group memberships and privileges to be granted upon successful LDAP authentication.
Alternatively, you can manually create user groups on the LDAP/AD server with the same names as SonicWALL built-in groups (such as ‘Guest Services’, ‘Content Filtering Bypass’, ‘Limited Administrators’) and assign users to these groups in the directory. This also allows SonicWALL group memberships to be granted upon successful LDAP authentication.
The SonicWALL appliance can retrieve group memberships efficiently in the case of Active Directory by taking advantage of its unique trait of returning a ‘memberOf’ attribute for a user.
Step 9 On the LDAP Relay tab, configure the following fields:
The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site with an LDAP/AD server and a central SonicWALL with remote satellite sites connected into it via low-end SonicWALL security appliances that may not support LDAP. In that case the central SonicWALL can operate as a RADIUS server for the remote SonicWALLs, acting as a gateway between RADIUS and LDAP, and relaying authentication requests from them to the LDAP server.
Additionally, for remote SonicWALLs running non-enhanced firmware, with this feature the central SonicWALL can return legacy user privilege information to them based on user group memberships learned via LDAP. This avoids what can be very complex configuration of an external RADIUS server such as IAS for those SonicWALLs.
Note: The ‘Bypass filters’ and ‘Limited management capabilities’ privileges are returned based on membership to user groups named ‘Content Filtering Bypass’ and ‘Limited Administrators’ – these are not configurable.
Step 10 Select the Test tab to test the configured LDAP settings:
The Test LDAP Settings page allows for the configured LDAP settings to be tested by attempting authentication with specified user and password credentials. Any user group memberships and/or framed IP address configured on the LDAP/AD server for the user will be displayed.
Source: Excerpt from SonicOS Enhanced 4.0 Administrations Guide
歡迎光臨 百利工頭 (http://bb.pc104.tw/) | Powered by Discuz! 6.0.0 |