Google Secure LDAP
You can use Google Secure LDAP for authentication.
Requirements
You must have Google Secure LDAP configured in the Google Admin console. See About the Secure LDAP service.
Configure Google
Warning
This information was correct at the time of writing. Review the Google documentation to make sure you're following the most current steps. See the following links:
You must perform some steps in the Google Admin console before you can configure your firewall to use Google Secure LDAP for authentication. You must create an LDAP client for your firewall, download the certificate, and generate access credentials. Do as follows:
- Sign in to the Google Admin console.
- Go to Apps > LDAP.
- Click ADD CLIENT.
- Enter the LDAP client name and Description.
- Click CONTINUE.
- Configure the Access permissions according to your organization's requirements. See Configure access permissions.
- Click ADD LDAP CLIENT.
- Click Download certificate to download a
.zip
file that contains the certificate (.cer
) and the private key (.key
) files. - Extract the certificate and the private key files to the location of your choice. Take note of the location.
- Click CONTINUE TO CLIENT DETAILS.
- Expand Authentication by clicking the card.
- Click GENERATE NEW CREDENTIALS.
-
Take note of the Username and Password.
Warning
After you close this window, you can't view the password again. If the username or password in your firewall is incorrect, you must generate new credentials in the Google Admin console and reconfigure your firewall.
-
Click CLOSE.
- Expand Service status by clicking the card.
- Click ON for everyone.
-
Click SAVE.
Google Secure LDAP is now ready for your firewall's authentication requests.
Configure Sophos Firewall
You can configure your firewall once you've completed the necessary steps in the Google Admin console. You must upload the Google certificate to your firewall and add Google Secure LDAP as an authentication server.
Upload the certificate
You must upload the Google certificate to your firewall to select it during your LDAP server configuration. Do as follows:
- Go to Certificates > Certificates and click Add.
- Enter a name.
- Select CER (.cer) from the drop-down list.
- For Certificate, click Choose File, select the certificate file you extracted earlier, and click Open.
- For Private key, click Choose File, select the private key file you extracted earlier, and click Open.
- Click Save.
Add a server
To use Google Secure LDAP for authentication, you must add it as an authentication server. Do as follows:
- Go to Authentication > Servers.
- Click Add.
- Select LDAP server as the Server type.
- Enter the name of the server.
-
Configure the following settings:
- Server IP/Domain:
ldap.google.com
- Version: 3
- Connection security: SSL/TLS
- Port: 636
- Anonymous login: Turned off.
- Bind DN: The username from your Google LDAP client's access credentials.
- Password: The password from your Google LDAP client's access credentials.
- Append base DN: Turned off.
- Server IP/Domain:
-
Select your Google certificate from the Client certificate drop-down list.
- Enter the Base DN or click Get base DN to get it from Google.
-
Configure the following attributes:
- Authentication attribute:
UID
- Display name attribute:
CN
- Email address attribute:
mail
- Group name attribute:
memberOf
- Expiry date attribute:
expiry
- Authentication attribute:
-
Optional: Click Test connection to test the firewall's connection with Google Secure LDAP.
- Click Save.
Next steps
- Create an LDAP group. See Add a group.
- Set your Google Secure LDAP server as an authentication method. See Services.