Configure LDAP Authentication

You can use an LDAP (Lightweight Directory Access Protocol) authentication server to authenticate your users with the XTM device. LDAP is an open-standard protocol for using online directory services, and it operates with Internet transport protocols, such as TCP. Before you configure your XTM device for LDAP authentication, make sure you check the documentation from your LDAP vendor to see if your installation supports the memberOf (or equivalent) attribute. When you configure your primary and backup LDAP server settings, you can select whether to specify the IP address or the DNS name of your LDAP server.

If your users authenticate with the LDAP authentication method, their distinguished names (DN) and passwords are not encrypted. To use LDAP authentication and encrypt user credentials, you can select the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic between the LDAP client on your XTM device and your LDAP server is secured by an SSL tunnel. When you enable this option, you can also choose whether to enable the LDAPS client to validate the LDAP server certificate, which prevents man-in-the-middle attacks. If you choose to use LDAPS and you specify the DNS name of your server, make sure the search base you specify includes the DNS name of your server. The standard LDAPS port is 636. For Active Directory Global Catalog queries, the SSL port is 3269.

When you configure the LDAP authentication method, you set a search base to specify where in the authentication server directories the XTM device can search for an authentication match. For example, if your user accounts are in an OU (organizational unit) you refer to as accounts and your domain name is example.com, your search base is ou=accounts,dc=example,dc=com.

If you also have user group objects are in another OU you refer to as groups,with your user accounts in an OU (organizational unit) you refer to as accounts, and your domain name is example.com, your search base is dc=example,dc=com.

If you use an OpenLDAP server without the memberOf attribute overlay support, add users to more than one OU, and find that the default Group String setting of memberOf does not return correct group information for your users, you can instead configure the XTM device to use another group attribute. To manage user groups, you can add the object classes member, memberUID, or gidNumber. For more information about these object classes, see RFC 2256 and RFC 2307.

If you enable LDAPS, you can choose to validate the LDAP server certificate with an imported Certificate Authority (CA) certificate. If you select to validate the LDAP server certificate, you must import the root CA certificate from the CA that signed the LDAP server certificate, so your XTM device can use the CA certificate to validate the LDAP server certificate. When you import the CA certificate, make sure to select the IPSec, Web Server, Other option. For more information about how to import certificates, see Manage XTM Device Certificates.

PhoneFactor authentication is a multiple-factor authentication system that uses phone calls to determine the identity of users. Because it uses more than one out-of-band method (phone calls, text messages, and push notifications) and an OATH passcode, PhoneFactor provides flexible options for users and a single multiple-factor platform to manage.

If you use PhoneFactor authentication with your LDAP server, you can configure the timeout value in the LDAP authentication server settings to specify when out-of-bound PhoneFactor authentication occurs. For PhoneFactor authentication, you must set the timeout value to more than 10 seconds.

From Fireware XTM Web UI:

  1. Select Authentication > Servers.
    The Authentication Servers page appears.
  2. From the Server list, select LDAP.
    The LDAP server settings appear.
  3. Select the Enable LDAPServer check box.
    The LDAP server settings are enabled.

Screen shot of the Authentication Servers page, with the LDAP tab selected

  1. From the IP Address/DNS Name drop-down list, select whether to use the IP address or DNS name to contact your primary LDAP server.
  2. In the IP Address/DNS Name text box, type the IP address or DNS name of the primary LDAP server for the XTM device to contact with authentication requests.
    The LDAP server can be located on any XTM device interface. You can also configure your device to use an LDAP server on a remote network through a VPN tunnel.
  3. In the Port text box, type the TCP port number for the XTM device to use to connect to the LDAP server. The default port number is 389.
    If you enable LDAPS, you must select port 636.
  4. In the Timeout text box, type or select the number of seconds the device waits for a response from the LDAP server before it closes the connection and tries to connect again.
  5. In the Search Base text box, type the search base settings in the standard format: ou=organizational unit,dc=first part of distinguished server name,dc=any part of the distinguished server name that appears after the dot.
    For example: ou=accounts,dc=example,dc=com
  6. In the Group String text box, type the group string attribute.
    The default attribute is memberOf.

This attribute string holds user group information on the LDAP server. On many LDAP servers, the default group string is uniqueMember; on other servers, it is member. For user groups on an OpenLDAP server without memberOf overlay support, you can also specify the attributes member, memberUID, or gidNumber.

  1. In the DN of Searching User text box, type the distinguished name (DN) for a search operation.

You can add any user DN with the privilege to search LDAP/Active Directory, such as an administrator. Some administrators create a new user that only has searching privileges.
For example, cn=Administrator,cn=Users,dc=example,dc=com.

  1. In the Password of Searching User text box, type the password associated with the distinguished name for a search operation.
  2. In the Login Attribute text box, select a LDAP login attribute to use for authentication from the drop-down list.

The login attribute is the name used for the bind to the LDAP database. The default login attribute is uid. If you use uid, the DN of Searching User and the Password of Searching User text boxes can be empty.

  1. In the Dead Time text box, type or select the amount of time after which an inactive server is marked as active again. To set the duration, from the adjacent drop-down list, select Minutes or Hours .

After an authentication server has not responded for a period of time, it is marked as inactive. Subsequent authentication attempts do not try this server until it is marked as active again.

  1. To enable secure SSL connections to your LDAP server, select the Enable LDAPS check box.
  2. If you enable LDAPS but did not set the Port value to the default port for LDAPS, a port message dialog box appears. To use the default port, click Yes. To use the port you specified, click No.
  3. To verify the certificate of the LDAP server with the imported CA certificate, select the Validate server certificate check box.
  4. To specify optional attributes for the primary LDAP server,complete the settings in the LDAP Server Optional Settings section.
    For more information about how to configure optional settings, see the subsequent section.
  5. To add a backup LDAP server, select the Secondary tab, and select the Enable Secondary LDAP Server check box.
  6. Repeat Steps 3–16 to configure the backup server. Make sure the shared secret is the same on the primary and backup LDAP servers.
    For more information, see Use a Backup Authentication Server.
  7. Click Save.

About LDAP Optional Settings

Fireware XTM can get additional information from the directory server (LDAP or Active Directory) when it reads the list of attributes in the server’s search response. This lets you use the directory server to assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with IPSec address assignments. Because the data comes from LDAP attributes associated with individual user objects, you are not limited to the global settings in Fireware XTM Web UI. You can set these parameters for each individual user.

For more information, see Use Active Directory or LDAP Optional Settings.

Test the Connection to the Server

To make sure that your XTM device can connect to your LDAP server and successfully authenticate your users, you can test the connection to your authentication server. You can also use this feature to determine if a specific user is authenticated and to get authentication group information for that user.

You can test the connection to your authentication server from the Authentication Servers page for your server, or you can navigate directly to the Server Connection page in Fireware XTM Web UI.

To navigate to the Server Connection page from the Authentication Servers page:

  1. Click Test Connection for LDAP and Active Directory.
    The Server Connection page appears.
  2. Follow the instructions in the Server Connection topic to test the connection to your server.

For instructions to navigate directly to the Server Connection page in Fireware XTM Web UI, see Server Connection.

See Also

About Third-Party Authentication Servers

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base