Configuring Active Directory/LDAP over TLS on SonicOS
Article Applies To: Active Directory Firmware/Software Version: Sonic OS Enhanced
Services: LDAP over TLS
This article explains how to integrating SonicWALL appliance with an LDAP directory service using SSL . This requires configuring your LDAP server for certificate management, installing the correct certificate on your SonicWALL appliance, and configuring the SonicWALL appliance to use the information from the LDAP Server.
Before beginning your LDAP configuration, you should prepare your LDAP server and your SonicWALL for LDAP over TLS support. This requires:
Installing a server certificate on your LDAP server.
Installing a Certificate Authority (CA) certificate for the issuing CA on your SonicWALL appliance.
Please note: In this article we have used Windows 2003 server for Certificate Authority and Active Directory. If you are using windows server other than 2003 please check Microsoft site for configuring CA and Active directory, however the steps on the SonicOS Enhanced remains the same.
The following procedures describe how to Configure LDAP over TLS.
Step 1. Configuring the CA on the Active Directory Server
Step 2. Exporting the CA Certificate from the Active Directory Server
Step 3. Importing the CA Certificate onto the SonicWALL
Step 4. Configuring LDAP settings on SonicWALL Appliance
Step 1: Configuring the CA on the Active Directory (Windows 2003 Server)
To configure the CA on the Active Directory server (skip the first five steps if Certificate Services are already installed):
- Navigate to Start > Settings > Control Panel > Add/Remove Programs.
- Select Add/Remove Windows Components.
- Select Certificate Services.
- Select Enterprise Root CA when prompted.
- Enter the requested information. See http://support.microsoft.com/kb/931125.
Step 2: Exporting the CA Certificate from the Active Directory Server
To export the CA certificate from the AD server:
- Launch the Certification Authority application: Start > Run > certsrv.msc.
- Right click on the CA you created and select Properties.
- On the General tab, click the View Certificate button.
- On the Details tab, select Copy to File.
- Follow through the wizard, and select the DER Encoded binary X.509 (.cer) format.
- Click on the browseand Specify a path and filename to which to save the certificate.
- Click on the Nextbutton and click Finish
Step 3: Importing the CA Certificate onto the SonicWALL
To import the CA certificate onto the SonicWALL:
- Browse to System > CA Certificates.
- Click on Import. Select the certificate file you just exported.
- Select Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem) or DER (.der or .cer) encoded file, Click on Browse and Select the certificate file you just exported from the MS Certificate Authority.
- Once the root certificate is selected, Click on the import
- Once the CA root certificate is imported, it will be listed under the System > Certificatesection with Type as CA Certificate
Step 4: Configuring LDAP settings on SonicWALL Appliance
- Go to Users > Settings page
In the Authentication method for login drop-down list, select LDAP + Local Usersand Click Configure
If you are connected to your SonicWALL appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the “Do not show this message again” box and click Yes.
- On the Settingstab of the LDAP Configuration window, configure the following fields
Name or IP address: The FQDN of the LDAP server against which you wish to authenticate. When using a name, be certain that it can be resolved by your DNS server.(Recommended to use the name of the server)
Port Number: The default LDAP over TLS port number is TCP 636.
Server timeout (seconds): The amount of time, in seconds, that the SonicWALL will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999, with a default of 10 seconds.
Overall operation timeout (minutes): 5(Default)
Anonymous Login – Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (Active Directory generally does not), then you may select this option.
Login User Name – Specify a user name that has rights to log in to the LDAP directory. The login name will automatically be presented to the LDAP server in full ‘dn’ notation. This can be any account with LDAP read privileges (essentially any user account) – Administrative privileges are not required.
Note that this is the user’s name, not their login ID.
Login Password – The password for the user account specified above.
Protocol Version – Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP, including Active Directory, employ LDAPv3.
Use TL(SSL) : Use Transport Layer Security (SSL) to log in to the LDAP server. It is strongly recommended that TLS be used to protect the username and password information that will be sent across the network. Most modern implementations of LDAP server, including Active Directory, support TLS. Deselecting this default setting will display an alert that you must accept to proceed.(Check this Option)
Send LDAP ‘Start TLS’ Request – Some LDAP server implementations support the Start TLS directive rather than using native LDAP over TLS. This allows the LDAP server to listen on one port (normally 389) for LDAP connections, and to switch to TLS as directed by the client. Active Directory does not use this option, and it should only be selected if required by your LDAP server. Require valid certificate from server – Validates the certificate presented by the server during the TLS exchange, matching the name specified above to the name on the certificate. Deselecting this default option will present an
alert, but exchanges between the SonicWALL and the LDAP server will still use TLS – only without issuance validation.
Local certificate for TLS – Optional, to be used only if the LDAP server requires a client certificate for connections. Useful for LDAP server implementations that return passwords to ensure the identity of the LDAP client (Active Directory does not return passwords). This setting is not required for Active Directory. Leave this option unchecked if not sure.
- On theSchema tab, configure the following fields:
LDAP Schema: Microsoft Active Directory
- On the Directory tab, configure the following fields:
Primary domain: The user domain used by your LDAP implementation
User tree for login to server: The location of where the tree is that the user specified in the settings tab
Click on Auto-configure
Select Append to Existing trees and Click OK
This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.
- On the LDAP Userstab, configure the following fields:
Default LDAP User Group : Trusted Group
How to Test:
On the LDAP Test tab, test a Username and Password in Active directory to make sure that the communication is successful.