8e6 Technologies Enterprise Filter Authentication R3000 User Manual

Size:
6.79 Mb
Download

CHAPTER4: LDAP AUTHENTICATIONSETUPCREATE AN LDAP DOMAIN

By default, the Include List will be populated with appropriate group objects, based on the server type.

Generally, no action needs to be performed on this tab. However, under special circumstances, a group object can be added or excluded by making an entry in the appropriate field, and then clicking the Include or

Exclude button.

A group object name can be edited by selecting the group object from the appropriate list box, editing the name in the field, and then clicking the Edit button.

A group object can be removed by selecting the group object and then clicking Remove.

The Membership Attribute field is populated by default. The membership attribute is the name of the LDAP attribute in a group record that identifies members of a group.

If using Active Directory, the “Use Primary Group” checkbox displays on this tab. You may wish to check this box to indicate that profiles based on user groups should be assigned to users.

Click Next to go to the User tab.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

129

CHAPTER4: LDAP AUTHENTICATIONSETUPCREATE AN LDAP DOMAIN

User Objects

The User tab is used for including or excluding user objects in the LDAP domain.

Fig. 4-4Domain Details window, User tab

By default, the Include List and Exclude List will be populated with appropriate user objects, based on the server type.

Generally, no action needs to be performed on this tab. However, under special circumstances, a user object can be added or excluded by making an entry in the appropriate field, and then clicking the Include orExclude button.

130

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER4: LDAP AUTHENTICATIONSETUPCREATE AN LDAP DOMAIN

A user object name can be edited by selecting the user object from the appropriate list box, editing the name in the field, and then clicking the Edit button.

A user object can be removed by selecting the user object and then clicking Remove.

If the user DN cannot be auto-detectedduring the profile setup process, click “UseCase-SensitiveComparison” to perform a manual comparison check.

Click Next to go to the Address tab.

Address Info

The LDAP domain address information populates the Address tab:

Fig. 4-5Domain Details window, Address tab

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

131

CHAPTER4: LDAP AUTHENTICATIONSETUPCREATE AN LDAP DOMAIN

NOTE: If the DNS settings are not published in the LDAP directory, the Server DNS Name, DNS Domain Name, and LDAP Query Base fields will not be populated automatically. Functioning forward and reverse DNS name resolution is one of the requirements for LDAP authentication. Please ensure the correct DNS settings are set.

The Server DNS Name field should contain the DNS nameof the server. If this field is already populated, it may need to be edited if there is more than one DNS server available.

NOTES: If your LDAP server’s name is not a resolvable, fully qualified DNS name, you may be able to enter the domain name.

If using a Novell server, be sure the Server DNS Name exactly matches the name on the SSL certificate that will be uploaded to the server.

The Server IP Address that displays by default is the one that was entered in the LDAP Server IP field of the Create LDAP Domain dialog box.

The DNS Domain Name should be the DNS name of the LDAP domain, such as Yahoo.com, and may need to be edited if the entire domain name does not display by default.

NOTES: If your LDAP server’s name is not a resolvable, fully qualified DNS name, you may be able to enter the domain name.

If using a Novell server, be sure the DNS Domain Name exactly matches the name on the SSL certificate that will be uploaded to the server.

If necessary, the NETBIOS Domain Name can be entered.

By default, 636 displays in theServer LDAPS Port field.

By default, the value that was entered in the LDAP Server Port field of the Create LDAP Domain dialog box displays in the Server LDAP Port field.

132

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER4: LDAP AUTHENTICATIONSETUPCREATE AN LDAP DOMAIN

By default, the LDAP Query Base displays the root of the LDAP database to query using the LDAP Syntax, i.e. DC=domain,DC=com. The entry in this field is case sensitive and should be edited, if necessary.

If this field is not populated, enter the LDAP query base.

Click Next to go to the Account tab.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

133

CHAPTER4: LDAP AUTHENTICATIONSETUPCREATE AN LDAP DOMAIN

Account Info

Fig. 4-6Domain Details window, Account tab

1.If your LDAP database does not require a username to be provided in order to bind to the LDAP database, click the “Use Anonymous Bind” checkbox to grey out the fields in this tab.

Otherwise:

Enter the authorized user's full LDAP Distinguished Name in the LDAP Account Name field.

For example: cn=Administrator,cn=Users,dc=qc2domain,dc=local

Enter the password in the Password andConfirm Password fields.

2.Click Next to go to the SSL tab.

134

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER4: LDAP AUTHENTICATIONSETUPCREATE AN LDAP DOMAIN

SSL Settings

SSL settings should be made if your network requires a secure connection from the R3000 to the LDAP server.

Fig. 4-7Domain Details window, SSL tab

NOTE: See Appendix E: Obtain or Export an SSL Certificate for information on how to obtain a Sun ONE server’s SSL certificate, or how to export an Active Directory or Novell server’s SSL certficate to your desktop and then upload it to the R3000.

1.If applicable, click in the “Enable Secure LDAP over SSL” checkbox. This action activates the Upload button.

2.Click the Upload button to open the Upload SSL Certificate for LDAPSpop-upwindow:

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

135

CHAPTER4: LDAP AUTHENTICATIONSETUPCREATE AN LDAP DOMAIN

Fig. 4-8Upload SSL Certificate for LDAPS

3.Click Browse to open the Choose file window and select the R3000 server’s SSL certificate.

4.Click Upload File to upload the SSL certificate to the R3000 server.

WARNING: If using a Novell server, be sure the name on the SSL certificate (to be uploaded to the server) matches the Server DNS Name entered in the Address Info tab.

5. Click Next to go to the Alias List tab.

136

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

CHAPTER4: LDAP AUTHENTICATIONSETUPCREATE AN LDAP DOMAIN

Alias List

The Alias List will be automatically populated if the Account Name was entered in the Account tab. This list includes all alias names for the domain that will be included in the Alias pull-downmenu in the Authentication Request Form.

Fig. 4-9Domain Details window, Alias List tab

However, if there are many alias names to be loaded, the tab initially displays without any data and the Search in Progress box opens:

Fig. 4-10Search in Progress box

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

137

CHAPTER4: LDAP AUTHENTICATIONSETUPCREATE AN LDAP DOMAIN

After the search is completed, the Search in Progress box closes, and the list displays the Alias Name and the corresponding LDAP Container Name.

NOTE: If the alias list does not display,double-checkthe settings on the other tabs and verify that all of your settings are correct.

The following actions can be performed on this tab:

An Alias Name can be edited by double-clickingthe Alias Name in the designated row, and then making your modifications.

If an Organizational Unit (OU) has been deleted from the LDAP directory but has already been added to the alias list, the list can be reloaded by clicking the Reload OU List button. When clicking this button, the Search in Progress box opens and the domain becomes inactive and will need to be reactivated.

By default, all items are selected for inclusion in the alias list, as indicated by a check mark in the Alias Enabled checkbox. To deselect an item, click the checkbox to remove the check mark.

To select or deselect all items in the list, click the Enable/ Disable All button. This button lets you toggle between these two operations.

Click Next to go to the Default Rule tab.

138

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE