LDAP Settings |
Top Previous Next |
When you press the link "User" in the main menu for the first time, you will automatically be forwarded to the second index card LDAP Settings. Here you can select the LDAP server you want to use. By default the local LDAP server is used.
Local OpenLDAP Server (Standard) You can start the LDAP server by pressing the "Start" button (green arrow).
After starting the server you can add new users at the index card User.
External OpenLDAP Server
ATTENTION: Using an external OpenLDAP server requires deep knowledge in administration of an OpenLDAP server (e.g. configuration of access control lists) and should only be done be professionals.
Instead of the local OpenLDAP server you can also use an existing OpenLDAP server. If you want to do so, select "external LDAP" in the select box "Server". After you selected this value additional text fields are shown.
NOTE: The external LDAP server is only recommended for a high amount of users or for integration of a already existing LDAP structure. For most of the cases the local OpenLDAP server should be enough. This server does not need any special handling and is pre-configured for the usage as user management system for the firewall.
NOTE: If you use an external server you should encrypt the connection.
SSL certificate For encrypting the connection to the external OpenLDAP server you need to create a server certificate. This certificate can be created with OpenSSL. The OpenLDAP server must be configured afterwards to use this certificate. Please read the manual of your distribution for the usage of the SSL certificates.
Microsoft Active Directory In order to use Microsoft Active Directory (AD) for authentication, select the specified entry in the select box Server.
Permissions of the AD user that is used for authentication It is recommended to create a common user account which is used for authentication at the AD. By creating a separate user you avoid storing a domain administrator at the firewall. For saving the client certificates you must extend the permissions by using the tool dsacls. DSACLS (dsacls.exe) is a command line tool to change the permissions and security settings of Active Directory objects.
If you called the user as in the picture above you can get the permissions of the user with the following command:: dsacls cn=firewall,ou=esys,dc=esys,dc=local
Diese Berechtigungen müssen mit folgendem Befehl erweitert werden: dsacls ou=admin,dc=mydomain,dc=local /I:S /G "users\admin:RPWP;userPKCS12;user"
The permissions of the user admin must be extended with Read and Write permissions (RPWP-Right Property, Write Property) for the attribute userPKCS12. This attribute is used for storing the client certificates. For more details visit DSACLS commands.
Join domain In order to use the services PPTP and L2TP the firewall must join the domain. The following settings must be done therefore:
NOTE: The account data of the administrator is only used to join the domain and is not stored at the firewall.
Select AD Groups Each service that needs authentication is represented as a select box here. Select the specific group for the service. All users within is this group are allowed to use the service.
NOTE: It is possible to select one group in all four services. The members of this group are allowed to use all services.
SSL certificate Find a detailed explanation how to integrate a SSL certificate here: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itame.doc/am60_install166.html
|