The first server in the list has the highest precedence and will be used first. If authentication
fails or the server is unreachable then the second in the list is used and so on.
LDAP Issues
Unfortunately, setting up LDAP authentication may not be as simple as, for example, RADIUS
setup. Careful consideration of the parameters used in defining the LDAP server to NetDefendOS
is required. There are a number of issues that can cause problems:
• LDAP servers differ in their implementation. NetDefendOS provides a flexible way of
configuring an LDAP server and some configuration options may have to be changed
depending on the LDAP server software.
• Authentication of PPTP or L2TP clients may require some administrative changes to the LDAP
server and this is discussed later.
Microsoft Active Directory as the LDAP Server
A Microsoft Active Directory can be configured in NetDefendOS as an LDAP server. There is one
option in the NetDefendOS LDAP server setup which has special consideration with Active
Directory and that is the Name Attribute. This should be set to SAMAccountName.
Due to LDAP protocol limitations, an LDAP user group set to primary cannot be received by
NetDefendOS from the Microsoft LDAP server and used in security policies.
Defining an LDAP Server
One or more named LDAP server objects can be defined in NetDefendOS. These objects tell
NetDefendOS which LDAP servers are available and how to access them.
Defining an LDAP server to NetDefendOS is sometimes not straightforward because some LDAP
server software may not follow the LDAP specifications exactly. It is also possible that an LDAP
administrator has modified the server LDAP schema so that an LDAP attribute has been renamed.
LDAP Attributes
To fully understand LDAP setup, it is important to note some setup values are attributes. These
are:
• The Name attribute.
• The Membership attribute.
• The Password attribute.
An LDAP attribute is a tuple (a pair of data values) consisting of an attribute name (in this manual
we will call this the attribute ID to avoid confusion) and an attribute value. An example might be a
tuple for a username attribute that has an ID of username and a value of Smith.
These attributes can be used in different ways and their meaning to the LDAP server is usually
defined by the server's database schema. The database schema can usually be changed by the
server administrator to alter the attributes.
Chapter 8: User Authentication
617
To Next Page
Loading...
