Managing LDAP users
The SMC server can be connected to an LDAP server to authorize the company’s users to manage a pool of firewalls.
This type of authentication is intended to work with an LDAP server such as Active Directory on Microsoft Windows Server 2016, 2019 and 2022 or OpenLDAP in at least version 2.5.
Authentication via Radius server is configured in the SMC web administration interface.
To authorize administrators to connect to the SMC server via an LDAP server, follow the three steps below:
- Configure the connection to the LDAP server,
- Test the connection to the server,
- Authorize users and define their access privileges.
Configuring the connection to the LDAP server
To configure and enable the connection to an LDAP server:
- Go to Maintenance > SMC Server > Administrators, and click on Edit local authentication settings,
- In the LDAP tab, select LDAP authentication enabled.
- Fill in the following fields:
Field Description Server type Active Directory or OpenLDAP server Host IP address or FQDN of the main LDAP server.
If the server’s FQDN is used, the DNS service must be configured beforehand.
If you use the SSL protocol with identity verification for the certification authority to secure the connection to the LDAP server, the host name must be the same as the common name (CN) of the LDAP server’s certificate.
Backup host Optional - IP address or FQDN of the backup LDAP server.
If the server’s FQDN is used, the DNS service must be configured beforehand.
Only this parameter is required for the backup LDAP server, as the other parameters belong to the main server.
Port Port number to access the LDAP server: if SSL is enabled, 636 by default; otherwise, 389. Base DN Base DN that enables access to the LDAP server and uses the following format: dc=sub,dc=domain,dc=com. The Base DN can also refer to a more specific location in the Active Directory, e.g., an organizational unit: ou=unit,dc=domain,dc=com ID
This field appears if an Active Directory server is used. Refers to the ID of the administrator with which a request can be submitted to the Active Directory LDAP server. For example: Administrator.
Administrator DN This field appears if an OpenLDAP server is used.
Refers to the DN of the administrator with which a request can be submitted to the OpenLDAP LDAP server. For example: cn=admin.
Password Password to connect to the LDAP server Encrypt with SSL If the option is enabled, the connection to the LDAP server is secured via SSL/TLS protocols.
When SSL is enabled, the default port changes.
If SSL is enabled, the SMC server does not verify the certification authority that signed the LDAP server’s certificate by default.Check identity of the LDAP server CA This option makes it possible to verify the certification authority that signed the LDAP server’s certificate, when SSL is enabled. Provide the CA’s certificate in the field below. Certificate In this field, the certificate of the certification authority that signed the certificate that the LDAP server used for the secure SSL connection can be forwarded to the SMC server.
NOTE
All fields are case sensitive. We recommend that you carefully check the configuration of your LDAP directory.
Testing the connection to the LDAP server
To test the connection to an LDAP server, use the ldapsearch tool available in command line on the SMC server.
Use the following parameters with the ldapsearch command to test the connection to an LDAP server and perform a search in the directory:
| Parameter | Description |
|---|---|
| -H | IP address or FQDN of the LDAP server, preceded by ldap:// and followed by the port number (port 389 is used by default). |
| -D |
Unique name used to authenticate on the server. This name must match a specific entry in the directory and must be allowed to perform searches in the directory. It can either be an administrator or a user. The format expected by default is: CN=Administrator,DC=mydomain,DC=com To query an Active Directory, the format can also be: Administrator@mydomain.com. |
| -W | If a term is entered, an authentication password will be requested before launching the search |
| -b | Branch of the LDAP tree in which you want to launch the search. To search in the entire directory, indicate the base DN. For example: DC=mydomain,DC=com. |
EXAMPLES
For Active Directory:
ldapsearch -H ldap://1.2.3.4:536 -D "Administrator@mydomain.com" -W -b "DC=mydomain,DC=com"
For OpenLDAP:
ldapsearch -H ldap://1.2.3.4:536 -D "cn=Administrator,dc=mydomain,dc=com" -W -b "dc=mydomain,dc=com"
The search can be filtered by adding attributes after the command. Add for example the attribute "member" to show group members.
EXAMPLE
ldapsearch -H ldap://1.2.3.4:536 -D "Administrator@mydomain.com" -W -b "CN=Users,DC=mydomain,DC=com" member
Allowing LDAP users
To allow LDAP users to authenticate on the SMC server, the super administrator must add them to the list of administrators in the web administration interface.
-
Go to Maintenance > SMC Server > Administrators, and click on Add an administrator.
-
Fill in the following mandatory fields:
-
Select the access privileges. For more information, refer to the section Managing administrator privileges as super administrator.
-
Unselect This administrator can use local authentication if you do not wish to define local authentication for the LDAP user.
| Field | Description |
|---|---|
| ID |
LDAP user’s identifier. This field corresponds to the sAMAccountName attribute if the LDAP server is an Active Directory and to the attribute uid if the LDAP server is an OpenLDAP. It is optional if the LDAP DN field is entered. |
| LDAP DN |
LDAP user’s DN. This field corresponds to the DistinguishedName and dn attributes, regardless of the LDAP server configured. It is optional if the ID field is entered. |
| Name |
Name of the LDAP user shown in SMC. |
The following terms are reserved on SMC, so cannot be used as IDs: root, daemon, bin, sys, sync, games, man, lp, mail, news, uucp, proxy, www-data, backup, list, irc, gnats, sshd, dhcpcd, messagebus, fwadmin-server, nobody.
NOTE
The IDs of users authenticated via the LDAP directory must not contain spaces in order to be able to connect to the SMC server.
Adding LDAP groups
Users can belong to LDAP groups.
By default SMC searches for users belonging to a group with the memberOf attribute. This attribute is used in directories similar to Active Directory. In some OpenLDAP directories, this attribute must be configured.
Other attributes can be used to search for users in a group. For more information, refer to the section Changing the default LDAP attributes used by SMC.
To add an LDAP user group:
-
In the Maintenance > SMC server > Administrators menu, click on Add an LDAP/Radius group.
-
Fill in the following mandatory fields:
-
Select the access privileges. For more information, refer to the section Managing administrator privileges as super administrator.
| Field | Description |
|---|---|
| LDAP DN |
DN of the LDAP group to which LDAP users belong. This field corresponds to the DistinguishedName and dn attributes, regardless of the LDAP server configured. |
| Name | Name of the LDAP group shown in SMC. |
If an administrator has a personal account in his/her name, and is also a member of one or several groups, the privileges that apply will be those assigned to the personal account.
NOTE
The IDs of users authenticated via the LDAP directory must not contain spaces in order to be able to connect to the SMC server.
Changing the default attributes used by SMC
In the SMC Server window > Administrators > Add an administrator, the ID and LDAP DN fields correspond to the following LDAP attributes by default:
| ID |
|
| LDAP DN |
|
SMC also relies on the memberOf attribute to search for groups in which users belong. It may have to be configured manually on some LDAP servers.
The following environment variables make it possible to change these three attributes:
-
LDAP_FIELD_NAME_LOGIN
-
LDAP_FIELD_NAME_DN
-
LDAP_FIELD_NAME_MEMBEROF
To change their values:
- Log in to the SMC server via the console of your hypervisor or in SSH.
- In the file /data/config/fwadmin-env.conf.local, change the values of these environment variables:
- Restart the server with the command
nrestart fwadmin-server.