LDAP/AD

Here you can specify the connection parameters for the directory server used to manage the LDAP users on your network.

The tab Authentication Server allows you to specify which database type you want to use. You can use the local user database in the LANCOM R&S®Unified Firewall either independently or in combination with an external user database such as Microsoft Active Directory Server or the OpenLDAP server with Kerberos.

If you select Microsoft Active Directory Server you can configure the following items:

Input box Description
Host Enter the host name or the IP address of the directory server.
Important: If you enter the host name of the directory server, you must configure the DNS settings. Otherwise, the name cannot be resolved.
Port Enter the port number of the directory server to be used for communication. You can also select the port number with the up/down arrow.
User Name Enter the name of a read-only user to retrieve the list of domain users from Active Directory. This input field must match the user attribute sAMAccountName. The user must be listed in "CN=Users". Please refer to Login via the LANCOM R&S®Unified Firewall Single Sign-On Client for further information.
Password Enter the password of the read-only user.
Note: We recommend that you create a dedicated user for this purpose.
Domain Name Enter the domain name of the Active Directory.
StartTLS You can use the StartTLS protocol to secure the connection to the OpenLDAP or Microsoft Active Directory server. In this case, you also enter the Server CA to be used.

To check the settings configured for Microsoft Active Directory Server, click Test AD Settings.

If you select OpenLDAP Server you can configure the following items:

Input box Description
Server Address Enter the host name or the IP address of the directory server.
Important: If you enter the host name of the directory server, you must configure the DNS settings. Otherwise, the name cannot be resolved.
Port Enter the port number of the directory server to be used for communication. You can also select the port number with the up/down arrow.
User DN Enter the user domain name of a read-only account.
Note: You do not have to enter the complete user domain name. If you click Save, the system automatically adds the domain components from the Base DN entry.
Password Enter the password of the read-only user.
Base DN Enter a unique name (Base-DN) together with Relative Distinguished Names (RDN) separated by commas. For example, three domain components: dc=ldap,dc=example,dc=com specify the location in the directory where you want to start the directory search.
User Query Optional: Specify the filter to be used to retrieve the list of users.
User ID Optional: Set the attributes from which the user identifier is retrieved. The user name displayed in the web client is derived from this LDAP-user attribute. By default, the user identifier is taken from the attribute sAMAccountName.
User name Optional: Set the attribute from which the user name is retrieved.
User group Optional: Set the attribute from which the user group is retrieved.
User Primary Group Optional: Set the attribute from which the user primary group is retrieved.
Mail Query Optional: Specify the filter to be used to retrieve the e-mail list.
Mail Name Optional: Set the attribute from which the e-mail name is retrieved.
Group Query Optional: Specify the filter to be used to retrieve the list of groups.
Group Name Optional: Set the attribute from which the e-mail name is retrieved.
Group ID Optional: Set the attribute from which the group ID is retrieved.
Group Primary ID Optional: Set the attribute from which the group primary ID is retrieved.
Group Parent Optional: Set the attribute from which the parent group is retrieved.
StartTLS You can use the StartTLS protocol to secure the connection to the OpenLDAP or Microsoft Active Directory server. In this case, you also enter the Server CA to be used.

If you click Save, the system adds default values to any optional fields which you have not filled.

If you want to operate single-sign-on with Kerberos, the username must be gpLogin. The host name and domain of your firewall is taken from the general settings. See General settings. Please refer to Logging in for further information.

On tab Kerberos:

Input box Description
Active Select this checkbox to enable the Kerberos service.
Kerberos Key Displays the service name, host name, and domain name for the userPrincipalName of the most recently created Kerberos key, also called a keytab. Please refer to Logging in for further information.

www.lancom-systems.com

LANCOM Systems GmbH | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E-Mail info@lancom.de

LANCOM Logo