Adding either an eDirectory, Apply/OpenLDAP Directory or a 389 Directory
Prerequisite
- Set up a non-privileged user account to use when connecting the domain. The preferred format for normalized usernames is LDAP distinguished name. For example, cn=user,ou=users,dc=mydomain,dc=net.
Procedure
Tip: In larger directories, it might be a good idea to narrow down the User search root so the Smoothwall doesn't have to look through the entire directory. For example, if all users who need to be authenticated have been placed in an organizational unit, the user search root can be narrowed down by adding ou=userunit in front of the domain base.
- On the SERVICES menu, under the Authentication submenu, click Directories.
- Click Add new directory and from the Tenants list, select the tenants to use this directory service.
- From the Type list, select either eDirectory, Apple/OpenLDAP Directory or 389 Directory.
- Enter the directory’s LDAP server IP address or host name.
- If using "Kerberos" for the Bind method, you must enter the host name.
- Enter the Username of a valid account. in the LDAP notation format.
- If you are going to select "Kerberos" as the Bind method, the username should be in Kerberos principal format: [email protected].
- Else, the usernames are in LDAP format: cn=user,ou=container,o=organization. This is what is referred to in eDirectory as tree and context. A user part of the tree Organization and in the context, Sales would have the LDAP notation: cn=user,ou=sales,o=organization.
- For Apple OpenLDAP Directory, when you're not using Kerberos, the LDAP username can be written as: uid=user,cn=users,dc=example,dc=org. Refer to your directory's documentation.
- Enter the Password for the username entered previously. Reenter the password to Confirm it.
- If you're going to select "Simple bind" as the Bind method, you can leave this blank for an anonymous bind.
- Accept the default bind method, or:
- To use Transport Layer Security (TLS)TLS (with password) option.
- To use Kerberos authentication, select the Kerberos option and enter the Kerberos realm. Use capital letters.
- To bind without encryption, select the Simple bind option. This is frequently used by directory servers that don't need a password for authentication.
- Enter the User search root, where in the directory the Smoothwall should start looking for user accounts. Usually, this is the top level of the directory. For example: ou=myusers,dc=mydomain,dc=local.
- Enter the Group search roots, where in the directory, the Smoothwall should start looking for user groups. Usually this is the same location as the user search root. For example: ou=mygroups,dc=mydomain,dc=local.
- Click Advanced options »:
- For the Cache timeout, either accept the default or specify the length of time the Smoothwall keeps a record of directory-authenticated users in its cache. The Smoothwall doesn't query the directory server for users who log off and back on if their records are still in the cache.
- For the LDAP port, either accept the default or enter the LDAP port to use. LDAPs (SSL) is automatically used if you enter port number 636.
- Enter Extra user search roots, the directory-specific user search paths when working with a large directory structure, which contains multiple OUs and many users. Enter one search root per line.
- Enter Extra group search roots, where in the directory the Smoothwall System should start looking for more user groups. Enter one search roots per line.
- To configure subdomains by using DNS manually, enter the Extra realms by using this format: <realm><space><kdc_server>. For example: example.org kdc.example.org. Enter one realm per line.
- If you've selected Kerberos as the authentication method, to use DNS to discover Kerberos realms, turn on the Discover Kerberos realms through DNS option by selecting Enabled.
- Enter a descriptive Comment and click Add. The Smoothwall adds the directory to its list of directories and establishes the connection.