8e6 Technologies Enterprise Filter Authentication R3000 User Manual

Size:
6.79 Mb
Download

APPENDIX C LDAP SERVERCUSTOMIZATIONS

APPENDIXC

LDAP Server Customizations

The R3000 has been tested on common types of standard LDAP servers with default settings. However, due to the number of LDAP servers available, and the limitless ways in which any type of LDAP server can be configured, customizations may need to be made on such an LDAP server that fits either description.

NOTE: Please contact technical support for assistance in implementing any of the changes described in this appendix.

OpenLDAP Server Scenario

Not all users returned in User/Group Browser

In this scenario, a query is performed in the LDAP User/ Group Browser window on an OpenLDAP server, and not all users are returned.

To resolve this problem, do the following:

1.Change the current directory to /usr/local/shadow/etc/ ldapgroup

2.Find the subdirectory bearing the name of the LDAP domain, and change the current directory to that subdirectory.

3.Open the file ”ldapobjectdef.conf” for editing.

4.Search for the line “LDC_LDAP_query_name_prefix CN=”

5.Replace “CN=” with “uid=” and save these changes.

6.Restart the R3000.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

219

APPENDIX D DISABLESMB SIGNINGREQUIREMENTS

APPENDIXD

Disable SMB Signing Requirements

SMB Signing is a Windows security feature that is not currently supported by the R3000. If you are running a Windows 2000 or Windows 2003 server and are using NTLM, then you need to make SMB Signing “not required.”

SMB Signing Compatibility

To find out whether SMB Signing on your Windows server is compatible with the R3000, refer to the chart below:

 

R3000 Auth

SMB

SMB

SMB Signing

Server

Signing

Signing

Mode

Not Defined

 

Enabled

Disabled

 

 

 

 

 

 

 

 

 

 

 

 

 

Win2000

NT Tier 1, 2, 3

Not compatible

Compatible

Compatible

mixed

 

 

 

 

 

 

 

 

 

Win2000

NT Tier 1, 2, 3

Not compatible

Not compatible

Not compatible

native

 

 

 

 

 

 

 

 

 

Win2003

NT Tier 1, 2, 3

Not compatible

Compatible

Not compatible

mixed

 

 

 

 

 

 

 

 

 

Win2003

NT Tier 1, 2, 3

Not compatible

Not compatible

Not compatible

native

 

 

 

 

 

 

 

 

 

Win2000

LDAP Tier 1, 2, 3

Compatible

Compatible

Compatible

mixed

 

 

 

 

 

 

 

 

 

Win2000

LDAP Tier 1, 2, 3

Compatible

Compatible

Compatible

native

 

 

 

 

 

 

 

 

 

Win2003

LDAP Tier 1, 2, 3

Compatible

Compatible

Compatible

mixed

 

 

 

 

 

 

 

 

 

Win2003

LDAP Tier 1, 2, 3

Compatible

Compatible

Compatible

native

 

 

 

 

 

 

 

 

 

220

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

APPENDIX D DISABLESMB SIGNINGREQUIREMENTS

Disable SMB Signing Requirements in

Windows 2003

By default, the SMB protocol in Windows 2003 is set to “Not Defined = On”. To disable (turn “Off”) SMB Signing, do the following:

1.From your Windows 2003 workstation, go to Start > All Programs > Administrative Tools > Active Directory Users and Computers:

Fig. D-1Go to Active Directory Users and Computers

2.When the Active Directory Users and Computers window opens, click Domain Controllers in the left panel to open the pop-upmenu:

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

221

APPENDIX D DISABLESMB SIGNINGREQUIREMENTS

Fig. D-2Select Properties in the Domain Controllerspop-upmenu

3.Select Properties to open the Domain Controllers Properties dialog box:

Fig. D-3Domain Controllers Properties

4.Click the Group Policy tab, choose the Default Domain Controllers Policy, and then click Edit to open the Group Policy Object Editor window:

222

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

APPENDIX D DISABLESMB SIGNINGREQUIREMENTS

Fig. D-4Group Policy Object Editor window

5.In the left panel, go to the Computer Configuration branch of the tree and select the Windows Settings folder to display the Windows Settings contents in the right panel:

Fig. D-5Group Policy Object Editor window, Windows Settings

6.Choose Security Settings to display the contents of this folder in the right panel:

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

223

APPENDIX D DISABLESMB SIGNINGREQUIREMENTS

Fig. D-6Group Policy Object Editor window, Security Settings

7.Select Local Policies to display the contents of this folder in the right panel:

Fig. D-7Group Policy Object Editor window, Local Policies

8.Select Security Options to display the contents of this folder in the right panel:

Fig. D-8Group Policy Object Editor window, Security Options

224

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

APPENDIX D DISABLESMB SIGNINGREQUIREMENTS

Scroll down and find “Microsoft network client: Digitally sign communications (always)”.

9.Right-clickthis item to open thepop-upmenu, and select Properties to open the dialog box with the Security Policy Setting tab:

Fig. D-9Define this policy setting

Click in the “Define this policy setting” checkbox to activate the radio buttons. Choose “Diabled”, and then click

OK.

10.Go back to the Group Policy Object Editor window (see Fig. D-8)and find the policies for the following items:

Microsoft network server: Digitally sign communications (always)

Domain controller: LDAP server signing requirements

Domain controller: LDAP client signing requirements For each of these items, follow the instructions in step 9.

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

225

APPENDIX E OBTAIN OREXPORT ANSSL CERTIFICATE

APPENDIXE

Obtain or Export an SSL Certificate

When using Web-basedauthentication, the LDAP server’s SSL certificate needs to be exported and saved to the hard drive, then uploaded to the R3000 so that the R3000 will recognize LDAP server as a trusted source.

This appendix provides steps on exporting an SSL certificate from a Microsoft Active Directory or Novell server—themost common types of LDAP servers. Also included is information on obtaining a Sun ONE server’s SSL certificate.

Export an Active Directory SSL Certificate

Verify certificate authority has been installed

1.From the console of the LDAP server, go to Start > Programs > Administrative Tools > Certification Authority to open the Certification Authority window:

Fig. E-1Certfication Authority window

226

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

APPENDIX E OBTAIN OREXPORT ANSSL CERTIFICATE

2.Verify that the certificate authority has been installed on this server and is up and running—indicatedby a green check mark on the server icon (see circled item in Fig. E- 1).

Locate Certificates folder

1.Go to Start > Run to open the Run dialog box. In the Open field, type inmmc.exe to specify that you wish to access the Microsoft Management Console:

Fig. E-2Run dialog box

2. Click OK to open the Console window:

Fig. E-3Microsoft Console window

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE

227

APPENDIX E OBTAIN OREXPORT ANSSL CERTIFICATE

3.From the toolbar, click Console to open the pop-upmenu. Select Add/RemoveSnap-into open the Add/ RemoveSnap-indialog box:

Fig. E-4Add/RemoveSnap-in

4.Click Add to open the Add StandaloneSnap-indialog box:

Fig. E-5Add StandaloneSnap-in

5.Select Certificates, and click Add to open the Certificatessnap-inwizard dialog box:

228

8E6 TECHNOLOGIES, R3000 ENTERPRISEFILTERAUTHENTICATIONUSERGUIDE