Add a New LDAP Server

Select Authentication Server > LDAP and click Add. The Add LDAP Server dialog is displayed. Enter the following details and click Save:

  • Server IP/DNS Name
  • Priority

A new LDAP Server is added to the list view.

All other settings for LDAP servers are inherited from the defaults configured by clicking the Default Settings button at the top of the LDAP page. Refer to Set Default Options for LDAP Servers for details.

Set Default Options for LDAP Servers

Click Default Settings to set configuration options for use with all new LDAP server entries, and then set the following options for LDAP servers. Note that these options are all global options and cannot be configured on a per-host basis.

Setting

Description

User Base DN

Identifies the base distinguished name (location) of the user information in the LDAP server's schema. Provide the value as a string with no spaces.

User Search Scope

Specifies the search scope for the user under the base distinguished name (DN):

Subtree (default) – Searches the base DN and all of its children.

One-Level – Searches only the immediate children of the base DN.

Login UID

Specify the name of the LDAP attribute containing the login name. The default is sAMAccountName. You can also specify a custom string or uid (for User ID).

Bind Password

Provides the credentials to be used for binding with the LDAP server. If Bind DN is left undefined for anonymous login (the default), Bind Password should be left undefined, too.

Group Base DN

Set this option to require membership in a specific Group Base DN for successful login to the appliance.

By default, the Group Base DN is left empty – group membership is not required for login to the system. If you do specify a Group Base DN, the attribute specified by the Group Login Attribute option must contain the user’s distinguished name as one of the values in the LDAP server or the user will not be logged in.

Bind DN

Specifies the distinguished name (DN) on the LDAP server with which to bind. By default, this is left empty for anonymous login.

Attribute

Use this argument to specify the name of the attribute to check for group membership. If you specify a value for Group Base DN, the attribute you name here will be checked to see whether it contains the user’s distinguished name as one of the values in the LDAP server.

LDAP Version

Specify which version of LDAP to use. The default of Version 3 is the current standard; some older servers still use Version 2.

Port

Specify the port number on which the LDAP server is running. If you do not specify a port, the default LDAP authentication port number of 389 is used.

Timeout

Specifies how long the appliance should wait for a response from the LDAP server to an authentication request before declaring a timeout failure.

The valid range is 0-60 seconds; default value is five seconds.

SSL Mode

Enables SSL or TLS to secure communications with LDAP servers as follows:

None—Does not use SSL or TLS to secure LDAP
SSL—Secures LDAP using SSL over the SSL port.
TLS—Secures LDAP using TLS over the default server port.

Note:  SSL and TLS modes use TLS 1.2 for negotiation with the LDAP server and the default ports.

SSL Port

Specifies the LDAP SSL port number.

Referrals

Specifies the type of user information search in the LDAP servers.

Yes—Searches the user information in all the LDAP servers.
No—Searches the user information in the selected LDAP server.

Search Timeout

Specifies how long the appliance should wait for a response from the LDAP server over SSL/TLS port before declaring a timeout failure.

The valid range is 0-60 seconds; default value is five seconds.

Delete an LDAP Server

To delete an LDP Server, do the following:

1.   Select Settings > Authentication Server> LDAP.
2. Select the LDAP server to be deleted.
3. Click Actions > Delete.