Configuring active directory / LDAP

The system supports authentication against an Active Directory or LDAP server. Detailed steps for configuring Active Directory or an LDAP server are provided.

Note: In general, although particularly for an LDAP server, an administrator must carefully review the suggested configuration information that is auto-populated by the Manager and adjust or validate. See examples that are displayed to the right of the text boxes in the configuration section.

Begin the configuration:

  1. On the Settings tab, navigate to Authentication > Active Directory/LDAP.
  2. In the Active Directory / LDAP Configuration page:
    1. For Active Directory, enter the domain in the Discovery box; the Manager attempts to automatically discover details about the server. The Manager discovers details in these ways:
      • DNS SRV records. Entering xyz.com as the domain triggers a search of DNS SRV records for ldap.tcp.xyz.com against each of the configured DNS servers. If successful, the resolution provides the name of the AD server and any backup servers.
      • If the first method fails, then resolve the domain name through DNS to the IP of xyz.com.
    2. If you run into problems with automatic discovery, confirm the following items:
      • DNS servers are configured on the Manager; at least 2 DNS servers are specified.
      • DNS port (UDP 53) is open on the firewall between the Manager and the DNS server.
      • LDAPS/LDAP ports (TCP 636 and 389) are open between the Manager and the AD server.
        Note: The Manager also supports assigning roles to Active Directory groups within the Security tab. After the AD server is specified, Create Group will now appear on the Security tab.
    3. If the discovery succeeds, the fields that follow the Discovery box populate (such as enabling authentication, Domain, LDAP URL, User Authentication Model, Certificate PEM).
      Note: The discovery populates information for only the top-level domain in a nested Active Directory structure. If you use a domain structure with parent-child relationships, add any child domains to the Domain field separated by a comma or space. For example, where mydomain.com is the parent domain and maple.mydomain.com and oak.mydomain.com are children, enter the following text in the Domain field: mydomain.com,maple.mydomain.com,oak.mydomain.com.
    4. If your DNS infrastructure supports SRV lookups and you want to dynamically determine the LDAP URLs at authentication time, check the Dynamically identify LDAP controller names from DNS SRV records box. By default, the box is not checked the software uses the static list of configured LDAP URLs.
      • When an authentication attempt is made that uses an LDAP user name and password against either a Manager or Accesser, the device dynamically discovers the LDAP service host names from DNS then. For example, a DNS SRV lookup is done for _ldap._tcp.<domainName> and a controller is selected by using standard SRV priority and weighting rules.
      • For a GDG environment, you can ensure that the device always uses a local LDAP service by configuring the LDAP Service Name on each site in the Manager. For example, a DNS SRV lookup is done for_ldap._tcp.<siteLdapServiceName>._sites.<domainName> and a controller is selected by using standard SRV priority and weighting rules.
    5. Depending on whether an Active Directory or an LDAP authentication model is being used:
      Model Extra Configuration

      Active Directory

      If everything appears okay, no further configuration is needed. Click Update.

      LDAP server

      • Select LDAP Bind+Search Model in the User Authentication Model section.
      • Review auto-populated fields and adjust as needed.
      • Click Update.
      • If Group Support is enabled for LDAP, a new action appears for accounts under the Security tab.
Note: For account or group creation or deletion, see Authentication and authorization .