LDAP Settings

Top  Previous  Next

When you press the link "User" in the main menu for the first time, you will automatically be forwarded to the second index card LDAP Settings. Here you can select the LDAP server you want to use. By default the local LDAP server is used.

 

Local OpenLDAP Server (Standard)

You can start the LDAP server by pressing the "Start" button (green arrow).

 

After starting the server you can add new users at the index card User.

 

External OpenLDAP Server

 

ATTENTION: Using an external OpenLDAP server requires deep knowledge in administration of an OpenLDAP server (e.g. configuration of access control lists) and should only be done be professionals.

 

Instead of the local OpenLDAP server you can also use an existing OpenLDAP server. If you want to do so, select "external LDAP" in the select box "Server". After you selected this value additional text fields are shown.

 

LDAP Server: IP Adresse or Hostname of the external LDAP server. (ATTENTION: if you want to use the TLS encryption, you must use the hostname that is encoded as common name into the TLS certificate)
LDAP Port: Port where the LDAP server listens at (default 389)
RootDN (if you can use the LDAP initialization file)
Root OU: ou=admin (if you can use the LDAP initialization file)
Root DC: dc=gibraltar,dc=local (if you can use the LDAP initialization file)
RootPW: Was created randomly. After you imported the LDAP initialization file it is recommended to change the password.
Confirm RootPW
Change ldap passwords: Pressing this button changes some other passwords. The different services need special users with specific permissions. Their passwords can be changed here.
TLS: If you want to use a connection that is encrypted using TLS you must create a certificate for the external OpenLDAP server. Additionally the server must be configured for StartTLS or SSL. StartTLS encrypts using the standard port after sending a specific command. SSL uses a specific port (636). This port is used for encrypted communication. Both types must be activated because both of them are used by the different services.
Download LDAP Schema: The OpenLDAP server at the firewall uses its own schemes to store the user data. You can download the scheme here to import it to your external LDAP server.
Download LDAP Init Data: Additionally to the scheme you need a basic initialization scheme which can be downloaded here.

 

NOTE: The external LDAP server is only recommended for a high amount of users or for integration of a already existing LDAP structure. For most of the cases the local OpenLDAP server should be enough. This server does not need any special handling and is pre-configured for the usage as user management system for the firewall.

 

NOTE: If you use an external server you should encrypt the connection.

 

SSL certificate

For encrypting the connection to the external OpenLDAP server you need to create a server certificate. This certificate can be created with OpenSSL. The OpenLDAP server must be configured afterwards to use this certificate. Please read the manual of your distribution for the usage of the SSL certificates.

 

Microsoft Active Directory

In order to use Microsoft Active Directory (AD) for authentication, select the specified entry in the select box Server.

 

IP Domaincontroller: IP address or hostname of the domain controller. (ATTENTION: if you want to use the TLS encryption, you must use the hostname that is encoded as common name into the TLS certificate)
LDAP Port: Port where the LDAP server listens at (default 389)
User for AD communication: Name of a user for authenticating the firewall at the Active Directory. It is recommended to avoid using the account Administrator, but a special user for firewall communication. This account should only be a common user account. Special permissions are only necessary to store OpenVPN certificates.
AD user password/Confirm AD user password: Password of the user account.
Organisation unit of this AD user: Name of the OU (Organisationseinheit) where the user is member of.
Domain: Name of the domain (e.g. mydomain.local).
TLS: To use a TLS encrypted connection you must create a certificate for your AD server and the server must be configured to use it correctly .Für eine mit TLS-verschlüsselte Verbindung muss für den AD Server ein Zertifikat erstellt werden und der Server entsprechend konfiguriert werden (Certificate Authority).
Join/Leave domain: In order to join the domain you need username and password of a domain administrator.
Select AD groups: You must create groups for the specific services (Mail, HTTP proxy, Chillispot, VPN). The users that should get the permissions to use the services must be members of these groups.

 

ldap_ad

 

Permissions of the AD user that is used for authentication

It is recommended to create a common user account which is used for authentication at the AD. By creating a separate user you avoid storing a domain administrator at the firewall.

For saving the client certificates you must extend the permissions by using the tool dsacls. DSACLS (dsacls.exe) is a command line tool to change the permissions and security settings of Active Directory objects.

 

If you called the user as in the picture above you can get the permissions of the user with the following command::

dsacls cn=firewall,ou=esys,dc=esys,dc=local

 

Diese Berechtigungen müssen mit folgendem Befehl erweitert werden:

dsacls ou=admin,dc=mydomain,dc=local /I:S /G "users\admin:RPWP;userPKCS12;user"

 

The permissions of the user admin must be extended with Read and Write permissions (RPWP-Right Property, Write Property) for the attribute userPKCS12. This attribute is used for storing the client certificates. For more details visit DSACLS commands.

 

Join domain

In order to use the services PPTP and L2TP the firewall must join the domain. The following settings must be done therefore:

Domain controller: IP address of the domain controller
Domain administrator: AD user with the permissions as domain administrator
Password

 

NOTE: The account data of the administrator is only used to join the domain and is not stored at the firewall.

 

Select AD Groups

Each service that needs authentication is represented as a select box here. Select the specific group for the service. All users within is this group are allowed to use the service.

 

NOTE: It is possible to select one group in all four services. The members of this group are allowed to use all services.

 

SSL certificate

Find a detailed explanation how to integrate a SSL certificate here: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itame.doc/am60_install166.html