Add a New LDAP Server
Select Authentication Server > LDAP and click Add. The Add LDAP Server dialog is displayed. Enter the following details and click Save:
- Server IP/DNS Name
- Priority
A new LDAP Server is added to the list view.
All other settings for LDAP servers are inherited from the defaults configured by clicking the Default Settings button at the top of the LDAP page. Refer to Set Default Options for LDAP Servers for details.
Set Default Options for LDAP Servers
Click Default Settings to set configuration options for use with all new LDAP server entries, and then set the following options for LDAP servers. Note that these options are all global options and cannot be configured on a per-host basis.
|
Setting |
Description |
|||||||||
|
User Base DN |
Identifies the base distinguished name (location) of the user information in the schema of LDAP server. Provide the value as a string with no spaces. |
|||||||||
|
User Search Scope |
Specifies the search scope for the user under the base distinguished name (DN): Subtree (default) – Searches the base DN and all of its children. One-Level – Searches only the immediate children of the base DN. |
|||||||||
|
Login UID |
Specify the name of the LDAP attribute containing the login name. The default is sAMAccountName. You can also specify a custom string or uid (for User ID). |
|||||||||
|
Bind Password |
Provides the credentials to be used for binding with the LDAP server. If Bind DN is left undefined for anonymous login (the default), Bind Password should be left undefined, too. |
|||||||||
|
Group Base DN |
Set this option to require membership in a specific Group Base DN for successful login to the appliance. By default, the Group Base DN is left empty – group membership is not required for login to the system. If you do specify a Group Base DN, the attribute specified by the Group Login Attribute option must contain the user’s distinguished name as one of the values in the LDAP server or the user will not be logged in. |
|||||||||
|
Bind DN |
Specifies the distinguished name (DN) on the LDAP server with which to bind. By default, this is left empty for anonymous login. |
|||||||||
|
Attribute |
Use this argument to specify the name of the attribute to check for group membership. If you specify a value for Group Base DN, the attribute you name here will be checked to see whether it contains the user’s distinguished name as one of the values in the LDAP server. |
|||||||||
|
LDAP Version |
Specify which version of LDAP to use. The default of Version 3 is the current standard; some older servers still use Version 2. |
|||||||||
|
Port |
Specify the port number on which the LDAP server is running. If you do not specify a port, the default LDAP authentication port number of 389 is used. |
|||||||||
|
Timeout |
Specifies how long the appliance should wait for a response from the LDAP server to an authentication request before declaring a timeout failure. The valid range is 0-60 seconds; default value is five seconds. |
|||||||||
|
SSL Mode |
Enables SSL or TLS to secure communications with LDAP servers as follows:
Note: SSL and TLS modes use TLS 1.2 for negotiation with the LDAP server and the default ports. |
|||||||||
|
SSL Port |
Specifies the LDAP SSL port number. |
|||||||||
|
Referrals |
Specifies the type of user information search in the LDAP servers.
|
|||||||||
|
Search Timeout |
Specifies how long the appliance should wait for a response from the LDAP server over SSL/TLS port before declaring a timeout failure. The valid range is 0-60 seconds; default value is five seconds. |
Delete an LDAP Server
To delete an LDP Server, do the following:
| 1. | Select Settings > Authentication Server> LDAP. |
| 2. | Select the LDAP server to be deleted. |
| 3. | Click Actions > Delete. |
