Connecting to a PosixAccount external LDAP directory
Step 1: Selecting the directory
Select the LDAP base of your choice. This is the first step in the configuration of this directory.
Select the option Connect to a PosixAccount external LDAP directory and click on Next.
Step 2: Accessing the directory
|Domain name||Name that identifies the internal LDAP directory when several directories are defined on the firewall. In a configuration containing multiple directories, this name will be needed in addition to the user's login for authentication (login@domain_name). You are therefore strongly advised to enter a DNS domain name in this field.|
|Server||Select an object corresponding to your LDAP server from the drop-down list. This object must be created prior to this step and must reference the IP address of your LDAP server.|
|Port||Enter the listening port of your LDAP server. The default port is: TCP/389 (ldap object).|
|Root domain (Base DN)||Enter the root domain (DN) of your directory. The DN represents the name of an entry, in the form of a path to it, from the top to the bottom of the tree structure. The field can be entered using the name of the Root Domain (DN).
|Anonymous connection||If this option is selected, the connection to the LDAP directory will not require the use of an identifier and its associated password. In this case, the identifier and password fields will be grayed out.|
An administrator account allowing the firewall to connect to your LDAP server and make changes (reading and writing privileges) to certain fields.
|Password||The password associated with the ID for you to connect to the LDAP server.
The key icon () allows you to view the password in plaintext to check that it is correct.
Connections to a PosixAccount external directory must be carried out in read-only mode. Users or groups therefore cannot be created from the firewall's web administration interface.
Click on Finish to display the external LDAP directory screen.
External LDAP directory screen
Once the configuration of the LDAP directory is complete, you will arrive at the external LDAP screen which sets out the following items:
The page that appears presents a window that summarizes the information entered for your external LDAP and various services concerning access to your directory.
|Enable user directory||This option allows you to start the LDAP service.
If this option is not selected, the module will be inactive.
|Server||This field contains the name of the server that you entered in the previous page.|
|Port||This field contains the listening port that you selected in the previous page.|
|Root domain (Base DN)||The root domain of your directory as it was defined when it was created.
|Identifier||The login name allowing the firewall to connect to your LDAP server.|
|Password||The password created in the firewall to connect to the LDAP server.|
Secure connection (SSL)
For a secure connection (LDAPS) to be set up between the firewall and the directory, the server that hosts the external directory must support and use one of the following cipher suites:
- TLS_AES_128_GCM_SHA256 (0x1301) (TLS1.3),
- TLS_CHACHA20_POLY1305_SHA256 (0x1303) (TLS1.3),
- TLS_AES_256_GCM_SHA384 (0x1302) (TLS1.3),
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b),
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f),
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e),
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9),
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8),
- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa),
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c),
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030),
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f),
ECDHE-based cipher suites must use elliptic curves that belong to one of the groups listed below:
- x25519 (0x001d),
- secp256r1 (0x0017),
- x448 (0x001e),
- secp521r1 (0x0019),
- secp384r1 (0x0018).
|Enable SSL access||This option makes it possible to check your digital certificate generated by the firewall’s root CA.
Information is encrypted in SSL. This method uses port 636.
Public access to the LDAP is protected by the SSL protocol.
|Check the certificate against a certification authority||During a connection to the LDAP database, the firewall will check that the certificate was issued by the certification authority specified below.|
|Certification authority||This option allows you to select the CA that will be used to verify the server certificate issued by the LDAP server, to guarantee the authenticity of the connection to this server.
Click on the magnifying glass icon to search for the corresponding CA.
|This field allows you to define a replacement server if the main server fails. You can select it from the list of objects suggested in the drop-down list.
By clicking on the button Test access to the directory below it, a window will inform you that your main server is functional.
Click on OK.
|Port||Enter the listening port of your backup LDAP server,
which may be different from the listening port on the main server.
The default port is: 389 (ldap).
|Use the firewall account to check user authentication on the directory||When this option is selected, the firewall will use the identifier declared during the creation of the directory to verify a user's privileges with the LDAP server when the user authenticates.
Otherwise, the firewall will use the user's account to conduct this check.
Click on Apply to confirm your configuration.
|User selection filter||When the firewall is used to interact with an external database, only users that correspond to the filter will be used. By default this filter corresponds to ObjectClass = InetOrgPerson.|
|User group selection filter||When the firewall is used to interact with an external database, only user groups that correspond to the filter will be used. By default this filter corresponds to ObjectClass = PosixGroup.|
You are accessing the directory in read-only mode. The creation of users and groups will not be allowed: since connections to external POSIX LDAP directories must be in read-only, this option will be automatically selected and grayed out.
Apply a model: This button offers to apply one of three LDAP servers to define your attributes:
- OpenLDAP: LDAP server.
- Microsoft Active Directory (AD): LDAP directory services for Windows operating systems.
- Open Directory: directory of websites under an Open Directory license
|External directory attributes||This column represents the value given to the attribute in the external directory. For PosixAccount LDAP directories, the attribute Stormshield member will have the value memberUid.|
Password hash: The password encryption method for new users.
Some authentication methods (such as LDAP) must store the user’s password in the form of a hash (result of a hash function applied to the password) which prevents the password from being stored in plaintext.
You must select your desired hash method from the following:
|SHA||“Secure Hash Algorithm”. This encryption method makes it possible to set up a 160-bit or 160-byte character string (called a “key”) which will be used as a reference for identification.|
|MD5||“Message Digest”. This algorithm allows you to check the integrity of data entered, by generating a 128-bit MD5 key.
|SSHA||“Salt Secure Hash Algorithm”. Based on the same principle as SHA, but contains a password salting function in addition, which consists of adding a bit sequence to the data entered in order to make them less legible.
The encryption method is the most secure and strongly recommended.
|SMD5||“Salt Message Digest”. Based on the same principle as MD5, with the addition of the password salting function.|
|CRYPT||The password is protected by the CRYPT algorithm, derived from the DES algorithm which allows block encryption using 56-bit keys.
This method is not highly advised, as it has a relatively low level of security.
|None||No password encryption, meaning it is stored in plaintext.
|User branch||For PosixAccount external directories, this field is not available.|
|Group branch||For PosixAccount external directories, this field is not available.|
|Certification authority branch||This field defines the location of the CA on the external LDAP base. This location is used especially when searching for the CA used in SSL.|
(See Users > Authentication module > Available methods tab: the authentication method Certificate (SSL) must be added and the CA indicated in the right column “Certification authorities (C.A)”)
Click on Apply to confirm your configuration.