LDAP
LDAP, an abbreviation for Lightweight Directory Access Protocol, is a networking protocol for querying and modifying directory services based on the X.500 standard. Sophos UTM uses the LDAP protocol to authenticate users for several of its services, allowing or denying access based on attributes or group memberships configured on the LDAP server.
To configure LDAP authentication, proceed as follows:
-
On the Servers tab, click New Authentication Server.
The dialog box Add Authentication Server opens.
-
Specify the following settings:
Backend: Select LDAP as backend directory service.
Position: Select a position for the backend server. Backend servers with lower numbers will be queried first. For better performance, make sure that the backend server that is likely to get the most requests is on top of the list.
Server: Select or add an LDAP server. For how to add a network definition, see Definitions & Users > Network Definitions > Network Definitions.
SSL: Select this option to enable SSL Secure Sockets Layer data transfer. The Port will then change from 389 (LDAP Lightweight Directory Access Protocol) to 636 (ldaps = LDAP over SSL).
Port: Enter the port of the LDAP server. By default, this is port 389.
Bind DN: The Distinguished Name (DN) of the user to bind to the server with. This user is mandatory. For security reasons, anonymous queries to the LDAP server are not supported. Note that the user must have sufficient privileges to obtain all relevant user object information from the LDAP server in order to authenticate users. LDAP users, groups, and containers can be specified by the full distinguished name in LDAP notation, using commas as delimiters (e.g., CN=administrator,DC=intranet,DC=example,DC=com).
Password: Enter the password of the bind user.
Test server settings: Pressing the Test button performs a bind test with the configured server. This verifies that the settings on this tab are correct, and the server is up and accepts connections.
User attribute: Select the user attribute that is to be used as the filter for searching the LDAP directory. The user attribute contains the actual login name users are prompted for, for example by remote access services. The following user attributes can be selected:
- CN (Common Name)
- SN (Surname)
- UID (User ID)
If usernames in your LDAP directory are not stored in any of these forms, select <<Custom>> from the list and enter your custom attribute into the Custom field below. Note that this attribute must be configured on your LDAP directory.
Base DN: The starting point relative to the root of the LDAP tree where the users are included who are to be authenticated. Note that the base DN must be specified by the full distinguished name (FDN) in LDAP notation, using commas as delimiters (e.g., O=Example,OU=RnD). Base DN may be empty. In this case, the base DN is automatically retrieved from the directory.
Username: Enter the username of a test user to perform a regular authentication.
Password: Enter the password of the test user.
Authenticate example user: Click the Test button to start the authentication test for the test user. This verifies that all server settings are correct, the server is up and accepting connections, and users can be successfully authenticated.
-
Optionally, make the following advanced settings:
Authentication timeout (sec): Enter the timeout for the communication with the server to support higher latency scenarios if you use third party authentication solutions.
-
Click Save.
The server will be displayed in the Servers list.