Connecting to a Microsoft Active Directory
Like the internal and external directories, Active Directory offers the same user management features that have been developed by Microsoft, using a Windows OS.
Step 1: Selecting the directory
Select the directory of your choice. This is the first step in the configuration of this directory.
Select the option Connect to a Microsoft Active Directory and click on Next.
Step 2: Accessing the directory
| Domain name | Name enabling the identification of the internal LDAP directory when several directories have been defined on the firewall. In a configuration containing multiple directories, this name will be needed in addition to the user's login for authentication (login@domain_name). You are therefore strongly advised to enter a DNS domain name in this field. |
| Server |
Select an object corresponding to your LDAP server from the drop-down list. This object has to be created prior to this step and must reference the IP address of your LDAP server. |
| Port |
Enter the listening port of your LDAP server. The default port is: 389. |
| Root domain (Base DN) |
Enter the root domain (DN) of your directory. The DN represents the name of an entry, in the form of a path to it, from the top to the bottom of the tree structure.
Example of a DN AD domain is “company.com” so my Root domain (Base DN) should be “dc=company,dc=com” |
| Identifier |
An administrator account allowing the firewall to connect to your LDAP server and make changes (reading and writing privileges) to certain fields. We recommend that you create a specific account for the firewall and assign privileges to it only in the necessary fields.
Example cn= Administrator,cn=users |
| Password |
The password associated with the ID for you to connect to the LDAP server. NOTE The key icon ( |
) allows you to view the password in plaintext to check that it is correct.Click on Finish to display the Microsoft Active Directory screen.
Microsoft Active Directory screen
“Configuration” tab
Once you have completed the configuration of the directory, you will arrive at the Active Directory which sets out the following items:
| Enable user directory |
This option allows starting the LDAP service. If this option is not selected, the module will be inactive. |
| Server |
This field contains the name of the server that you had entered in the previous page. |
| Port |
This field contains the listening port that you had selected in the previous page. |
| Root domain (Base DN) |
The root domain of your directory as it was defined when it was created.
Example dc=company,dc=org |
| Identifier |
The login name allowing the firewall to connect to your LDAP server. |
| Password |
The password created in the firewall for connecting to the LDAP server. |
Secure connection (SSL)
| Enable SSL access |
This option allows checking your digital certificate generated by the firewall’s root CA. Information is encrypted in SSL. This method uses port 636. Public access to the LDAP is protected by the SSL protocol. NOTE If this option is not selected, access will not be encrypted. |
| Check the certificate against a Certification Authority |
During a connection to the LDAP database, the firewall will check that the certificate has been issued by the Certification Authority specified below. |
| Select a trusted Certificate Authority |
This option allows selecting the CA which will be used for verifying the server certificate issued by the LDAP server, in order to ensure the authenticity of the connection to this server. Click on the magnifying glass icon ( NOTE This option will be grayed out by default if the two options above were not selected. |
) to search for the corresponding CA.Advanced properties
| Backup server |
This field allows defining a replacement server in the event the main server cannot be contacted. You can select it from the list of objects suggested in the drop-down list. |
| Use the firewall account to check user authentication on the directory |
When this option is selected, the firewall will use the identifier declared during the creation of the directory in order to verify a user's privileges with the LDAP server when the user authenticates.
Otherwise, the firewall will use the user's account to perform this verification. |
Click on Apply to confirm your configuration.
“Structure” tab
Read-only access
| User selection filter |
When using the firewall in interaction with an external database, only users that correspond to the filter will be used. By default this filter corresponds to ObjectClass = InetOrgPerson. |
| User group selection filter |
When using the firewall in interaction with an external database, only user groups that correspond to the filter will be used. By default this filter corresponds to ObjectClass = GroupOfNames. |
You are accessing the directory in read-only mode. The creation of users and groups will not be allowed: If this option is selected, you will not be able to perform any actions in write mode.
Mapped attributes
Apply a model: This button offers you 3 choices of LDAP servers, which you will apply to define your attributes:
- OpenLDAP
- Microsoft Active Directory (AD)
- Open Directory
| External directory attributes |
This column represents the value given to the attribute in the external directory.
Examples: Cn= COMPANY telephoneNumber= +33 (0)3 61 96 30 mail = salesadmin@company.com |
Advanced properties
Password hash: The password encryption method for new users.
Some authentication methods (such as LDAP) have to store the user’s password in the form of a hash (result of a hash function applied to the password) which will avoid having to store the password in plaintext.
You have to select your desired hash method from the following:
| SHA |
“Secure Hash Algorithm”. This encryption method allows establishing a 160-bit or 160-byte character string (called a “key”) which will be used as a reference for identification. |
| MD5 |
“Message Digest”. This algorithm allows checking the integrity of data entered, by generating a 128-bit MD5 key. REMARK As this method uses fewer bytes and as such has a lower level of security, it is less robust against attacks. |
| SSHA |
“Salt Secure Hash Algorithm”. Based on the same principle as SHA, but contains a password salting function in addition, which consists of adding a bit sequence to the data entered in order to make them less legible. NOTE This variant of SHA uses a random value to diversify the password’s fingerprint. Two identical passwords will therefore have two different fingerprints.
The encryption method is the most secure and you are strongly advised to use it. |
| SMD5 |
“Salt Message Digest”. Based on the same principle as MD5, with the addition of the password salting function. |
| CRYPT |
The password is protected by the CRYPT algorithm, derived from the DES algorithm which allows block encryption using 56-bit keys.
This method is not highly advised, as it has a relatively low level of security. |
| None |
No password encryption, meaning it is stored in plaintext. WARNING This method is not recommended, as your data will not be protected. |
| User branch |
Enter the name of the LDAP branch for storing users. Example
|
| Group branch |
Enter the name of the LDAP branch for storing user groups. Example ou=groups |
| Certification authority branch |
This field defines the location of the CA on the external LDAP base. This location is used especially when searching for the CA used in SSL. NOTE Configuring this field is not absolutely necessary but in this case, in order for the SSL authentication method to work the CA has to be specified in the list of trusted CAs in the configuration of the SSL method.
(See menu Users\Authentication module\Available methods tab: the authentication method Certificate (SSL) has to be added and the CA indicated in the right column “Certificate authorities (C.A)” ) |
Click on Apply to confirm your configuration.