Configuring LDAP authentication

You can add existing LDAP users to the firewall. Adding the users to a dedicated group allows you to specify policies for these users. You add a group, add an LDAP server, and set the primary authentication method.

Objectives

When you complete this unit, you’ll know how to do the following:
  • Add a group for LDAP users and specify policies.
  • Add and configure an LDAP server.
  • Set the primary authentication method so that the firewall queries the LDAP server first and assigns LDAP users to the dedicated group.

Add an LDAP group

Create a dedicated group for LDAP users and specify access policies.

  1. Go to Authentication > Groups and click Add.
  2. Specify settings.
    Note For settings not listed here, use the default value.
    OptionDescription
    Group name LDAP
    Surfing quota Unlimited internet access
    Access time Allowed all the time
  3. Click Save.

Add an LDAP server

Add an LDAP server that specifies a base DN.

You’ll need the following information to complete this task:
  • Authentication attribute
  • Group name attribute
  1. Go to Authentication > Servers and click Add.
  2. Specify settings.
    Note For settings not listed here, use the default value.
    OptionDescription
    Server type LDAP server
    Server name LDAP_Server
    Server IP/domain 192.168.1.101
    Connection security SSL/TLS
    Base DN DC=sophos,DC=com
    Authentication attribute UID
    Group name attribute GID
    Expiry date attribute Date
  3. Click Test connection to validate the user credentials and check the connection to the server.
  4. Click Save.

Set primary authentication method

To query the LDAP server first, you set it as the primary authentication method. When users sign in to the firewall for the first time, they are automatically added as a member of the default group specified. In this case, you specify the LDAP group.

  1. Go to Authentication > Services.
  2. In the authentication server list, select LDAP_Server.
  3. Move the server to the first position in the list of selected servers.
  4. For the default group, select LDAP.
  5. Click Apply.