DIRECTORIES CONFIGURATION

LDAP is a standard protocol that allows managing directories, i.e., accessing user databases on a network through the TCP/IP protocols.

Stormshield Network firewalls embed an internal LDAP database, which stores information relating to users who need to authenticate in order to use the firewall. In addition to this internal directory, the firewall can also be connected to up to four external LDAP bases located on remote hosts.

The Directory configuration module (accessible through the menu Users > Directory configuration) contains a wizard in the first page, offering you the choice of a directory and initializing it.

  • Connecting to a Microsoft Active Directory
  • Connecting to an external LDAP directory
  • Connecting to a PosixAccount external LDAP directory
  • Creating an internal LDAP

Depending on your selection, the next step will vary, as the configuration of the external LDAP requires more information.

To find out which characters are allowed or prohibited in various fields, please refer to the section Allowed names.

Depending on the model of your firewall, a maximum number will determine how many users can be authenticated simultaneously. This restriction is explained in the section Users.

The configuration of each of these directories consists of 3 steps. Select the LDAP database you wish to create by clicking on the relevant option.

For a secure connection (LDAPS) to be set up between the firewall and the directory, the server that hosts the external directory must support and use one of the following cipher suites:

  • TLS_AES_128_GCM_SHA256 (0x1301) (TLS1.3),
  • TLS_CHACHA20_POLY1305_SHA256 (0x1303) (TLS1.3),
  • TLS_AES_256_GCM_SHA384 (0x1302) (TLS1.3),
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b),
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f),
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e),
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9),
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8),
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa),
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c),
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030),
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f),

ECDHE-based cipher suites must use elliptic curves that belong to one of the groups listed below:

  • x25519 (0x001d),
  • secp256r1 (0x0017),
  • x448 (0x001e),
  • secp521r1 (0x0019),
  • secp384r1 (0x0018).