Add new / Edit directory

Use this dialog box to configure directory details.

Navigation: SERVICES > Authentication > Directories > Add new directory.

Add new directory
status Indicates whether the directory is active or not.
Tenants The tenant that this directory service belongs to.
Type The type of directories that you can use. When you select a type, the dialog box updates the options displayed for each type. For the descriptions of the options of your selected type look at the table below with the heading of the type you have selected.
Domain The full DNS name of the domain.
Username The username of the user account.
Password The password for the user account.
Confirm
Advanced options » Expands the view to show advanced options.
Cache timeout (minutes) The length of time the Smoothwall keeps a record of directory-authenticated users in its cache. The Smoothwall does not need to query the directory server for users if their records are still in the cache. Setting a short cache time-out increases the load on the directory server. Setting a long cache time-out means that old passwords and groups are valid for longer, that is, until the cache time-out has been passed.
Cache Kerberos PAC groups

Caches group membership information permanently from Kerberos tickets.

Note: This might result in group membership changes not being stored correctly. In some environments, such as one-way forest trusts, certain group membership information might be missing.
Name The IDex directory name.
Advanced options » Expands the view to show advanced options.
IDex Directory DB Key

Each instance of IDex Directory has an associated Database Key (DB) that identifies to which data set that Directory applies. In most circumstances, you can leave this set at the default value.

Note: Upgrades from earlier implementations will have the Database Key set to the default setting.

Configure additional IDex Directories for tenants and assign a unique Database Key to each IDex Directory, if you have a Multi-Tenant configuration with two tenants with an identical domain name. or datasets that need to be partitioned from other datasets.
LDAP server The directory’s IP address or hostname.
Username The username of a valid account. in the LDAP notation format. If Kerberos is selected as the Bind method (see below), the username should be in Kerberos principal format, for example: [email protected]. Else, the usernames are in LDAP format: cn=user,ou=container,o=organization. This is what is referred to in eDirectory as tree and context. A user part of the tree Organization and in the context Sales would have the LDAP notation: cn=user,ou=sales,o=organization. For Apple OpenLDAP Directory, when not using Kerberos, the LDAP username can be written as: uid=user,cn=users,dc=example,dc=org, refer to your directory documentation.
Password The password for the username entered previously. If Simple bind is selected as the Bind method, you can leave this blank for an anonymous bind.
Confirm
Bind method
  • The default bind method:
    • Bind Method Description
    TLS (with password) Select to use Transport Layer Security (TLS).
    Kerberos Select to use Kerberos authentication.
    Simple bind Select to bind without encryption. This is frequently used by directory servers that don't need a password for authentication.
    Kerberos realm The Kerberos realm. Use capital letters.
    User search root

    Where in the directory the Smoothwall should start looking for user accounts. Usually, this is the top level of the directory. For example: ou=myusers,dc=mydomain,dc=local. OpenLDAP based directories will often use the form o=myorganization. Apple Open Directory uses the form: cn=users,dc=example,dc=org. A Novell eDirectory will refer to this as the tree, taking the same form as the OpenLDAP-based directories o=myorganization.

    Tip: In larger directories, it might be a good idea to narrow down the user search root so the Smoothwall does not have to look through the entire directory. For example, if all users who need to be authenticated have been placed in an organizational unit, the user search root can be narrowed down by adding ou=userunit in front of the domain base.
    Group search root Where in the directory, the Smoothwall should start looking for user groups. Usually this is the same location as the user search root. For example: ou=mygroups,dc=mydomain,dc=local Apple Open Directory uses the form: cn=groups,dc=example,dc=org with larger directories, it might be necessary to narrow down the group search root. Some directories will not return more than 1000 results for a search, so if there are more than 1000 groups in the directory, a more specific group search root needs to be configured. The principle is the same as with the user search root setting. If there are multiple OUs containing groups that need to be mapped, add the other locations in the advanced section.
    Advanced options » Expands the view to show advanced options.
    Cache timeout (minutes) The length of time the Smoothwall keeps a record of directory-authenticated users in its cache. The Smoothwall does not query the directory server for users who sign out and sign back in if their records are still in the cache.
    LDAP port The LDAP port to use. LDAPs (SSL) is automatically used if you enter port number 636.
    Extra user search roots The directory-specific user search paths when working with a large directory structure, which contains multiple OUs and many users. Enter one search root per line.
    Extra group search roots Where in the directory the Smoothwall System should start looking for more user groups. Enter one search roots per line.
    Extra realms The subdomains. Use the following format: <realm><space><kdc_server> For example: example.org kdc.example.org. Enter one realm per line.
    Discover Kerberos realms through DNS Turns on Kerberos realms discovery. Using DNS to discover realms configures the Smoothwall to try to find all the domains in the directory server by querying the DNS server that holds the directory information.
    RADIUS server The hostname or IP address of the RADIUS server.
    Secret The shared secret set by the server.
    Confirm
    Action on login failure
    Action on login failure Description
    Select this option if users in RADIUS are unrelated to users in any other directory server.
    >Deny access Select this option if the RADIUS password should override the password set in another directory server, for example, when using an authentication token.
    Identifying IP address The IP address to use to identify the caller connecting to the RADIUS server, if it must be different to the internal IP address of the system.
    Obtain groups from RADIUS

    If the RADIUS server can provide group information (received in the Filter-ID attribute of the RADIUS message), select this option.

    Note: Group information can't be synchronized between the Smoothwall and the RADIUS server as per the other supported directory servers.

    Instead, you must enter the group names into the Smoothwall manually as configured for the Group_Attribute parameter in your RADIUS server. If groups are not obtained from the RADIUS server, the Smoothwall uses the group information from the next directory server listed in the Directories table. Because of this, you must make sure that your directories are listed in the correct order, with the RADIUS entry directly before the directory containing the group information. If there are no other directories listed, the Smoothwall places all users in the "Default users" group.
    Advanced options » Expands the view to show advanced options.
    Cache timeout (minutes) Accept the default of 10 minutes or specify the length of time the Smoothwall keeps a record of directory-authenticated users in its cache. The Smoothwall does not need to query the directory server for users if their records are still in the cache. Setting a short cache time-out increases the load on the directory server. Setting a long cache time-out means that old passwords and groups are valid for longer, that is, until the cache time-out has been passed.
    Port Accept the default port or specify a UDP port to use when communicating with the RADIUS server. The default is port 1812.
    Active Directory server

    The directory server’s full hostname.

    Note: For Microsoft Active Directory, the Smoothwall System needs DNS servers that can resolve the Active Directory server hostnames. Often, these are the same servers that hold the Active Directory. The Active Directory DNS servers will need a reverse lookup zone with pointer (PTR) records for the Active Directory servers for a successful lookup to be able to take place. Refer to the Microsoft DNS server help if you need assistance in setting up a reverse lookup zone.
    Username The username of a valid account. Enter the username without the domain. The domain is added automatically by the Smoothwall. In a multi domain environment, the username must be a user in the top-level domain.
    Password The password of a valid account.
    Confirm
    Kerberos realm The Kerberos realm.
    User search root The user search root that Smoothwall starts to look in.
    Group search root The group search root that Smoothwall starts to look in.
    Advanced options » Expands the view to show advanced options.
    Cache timeout (minutes) The length of time the Smoothwall keeps a record of directory-authenticated users in its cache. The Smoothwall does not need to query the directory server for users if their records are still in the cache. Setting a short cache time-out increases the load on the directory server. Setting a long cache time-out means that old passwords and groups are valid for longer, that is, until the cache time-out has been passed.
    LDAP port The LDAP port to use.
    Discover Kerberos realms through DNS Uses the DNS to discover Kerberos realms, which configures the Smoothwall Filter and Firewall to try to find all the domains in the directory server by querying the DNS server that holds the directory information.
    Use sAMAccountName Controls whether to consult the sAMAccountName attribute or the userPrincipleName attribute when trying to resolve a username. If enabled, enter the sAMAccountName to override the userPrincipleName in Username.
    Extra user search roots The directory-specific user search paths when working with a large directory structure, which contains multiple organizational units (OUs) and many users. Enter search roots one per line.
    Extra group search roots Where in the directory the Smoothwall should start looking for more user groups. Enter search roots one per line.
    Extra realms The subdomains.
    Name The name of the local directory.
    Name The name of the directory.
    Client secrets file: Choose File Opens the Open dialog box so that you can upload the service account key.
    Domain The Google G-Suite domain.
    Administrative user The username, as a valid email address, of a user who has permission to access users, groups, and organizational units. The Smoothwall acts as this user to perform the username synchronization.
    Name The name that you want to recognize your directory by within the Smoothwall Filter and Firewall.
    Client ID The unique application (client) ID that Azure AD assigns to your app.
    Secret The client secret from the Azure AD registered app certificates and secrets.
    Tenant ID The unique directory (tenant) ID that Azure AD assigns to your app.
    Comment An optional descriptive comment.