Enable LDAP/LDAPS Authentication

Note: When configuring the LDAP server, the query string format on the server should contain the name of the group configured on SX II.

You can use the Lightweight Directory Access Protocol (LDAP) to authenticate SX II users instead of local authentication.

Lightweight Directory Access Protocol (LDAP/LDAPS) is a networking protocol for querying and modifying directory services running over TCP/IP.

A client starts an LDAP session by connecting to an LDAP/LDAPS server (the default TCP port is 389). The client then sends operation requests to the server, and the server sends responses in turn.

Reminder: Microsoft Active Directory functions natively as an LDAP/LDAPS authentication server.

1. Click User Management > Authentication Settings to open the Authentication Settings page.
2. Select the LDAP radio button to enable the LDAP section of the page.

   The LDAP section expands. If it does not, click on the LDAP section header.

   Server Configuration

   

3. In the Primary LDAP Server field, type the IP address or host name of your LDAP/LDAPS remote authentication server.
4. Optional In the Secondary LDAP Server field, type the IP address or host name of your backup LDAP/LDAPS server (up to 256 characters). When the Enable Secure LDAP option is selected, the DNS name must be used. Note that the remaining fields share the same settings with the Primary LDAP Server field.
5. Select the type of External LDAP Server.
   • Generic LDAP Server.
   • Microsoft Active Directory. Active Directory is an implementation of LDAP/LDAPS directory services by Microsoft for use in Windows environments.
     • Type the name of the Active Directory Domain if you selected Microsoft Active Directory. For example, acme.com. Consult your Active Directive Administrator for a specific domain name. Optional
6. In the User Search DN field, enter the Distinguished Name of where in the LDAP database you want to begin searching for user information. An example base search value might be: cn=Users,dc=raritan,dc=com. Consult your authentication server administrator for the appropriate values to enter into these fields.

   Complete this field if your LDAP server only allows administrators to search user information using the Administrative User role.

   Consult your authentication server administrator for the appropriate values to type into this field.

   An example DN of Administrative User value might be: cn=Administrator,cn=Users,dc=testradius,dc=com. Optional

7. If you entered a Distinguished Name for the Administrative User, you must enter the password that will be used to authenticate the Administrative User's DN against the remote authentication server.

   Enter the password in the Secret Phrase field and again in the Confirm Secret Phrase field.

   LDAP/LDAP Secure

   

8. Select the "Enable Secure LDAP" checkbox if you would like to use SSL.

   This will enable the Enable LDAPS Server Certificate Validation checkbox.

   Secure Sockets Layer (SSL) is a cryptographic protocol that allows SX II to communicate securely with the LDAP/LDAPS server.

   When the "Enable Secure LDAP" option is selected and the "Enable LDAPS Server Certificate Validation" option is selected, the DNS name must be used to match the CN of LDAP server certificate.

9. The default Port is 389. Either use the standard LDAP TCP port or specify another port.
10. The default Secure LDAP Port is 636. Either use the default port or specify another port. This field is only used when the Enable Secure LDAP checkbox is selected.
11. Select the "Enable LDAPS Server Certificate Validation" checkbox to use the previously uploaded root CA certificate file to validate the certificate provided by the server.

    If you do not want to use the previously uploaded root CA certificate file, leave this checkbox deselected.

    Disabling this function is the equivalent of accepting a certificate that has been signed by an unknown certifying authority. This checkbox is only available when the Enable Secure LDAP checkbox has been enabled.

    Note: When the Enable LDAPS Server Certificate Validation option is selected, in addition to using the Root CA certificate for validation, the server hostname must match the common name provided in the server certificate.

12. If needed, upload the Root CA Certificate File.

    This field is enabled when the Enable Secure LDAP option is selected.

    Consult your authentication server administrator to get the CA certificate file in Base64 encoded X-509 format for the LDAP/LDAPS server.

    Use Browse to navigate to the certificate file.

    If you are replacing a certificate for the LDAP/LDAPS server with a new certificate, you must reboot the SX II in order for the new certificate to take effect.

    Test LDAP Server Access

    

13. To test the LDAP configuration, enter the login name and password in the "Login for testing" field and the "Password for testing" field, respectively. Click Test.

    This is the username and password you entered to access the SX II. It is also username and password the LDAP server uses to authenticate you.

    The SX II then tests the LDAP configuration from the Authentication Settings page. This is helpful due to the complexity sometimes encountered when configuring the LDAP server and SX II for remote authentication.

    Once the test is completed, a message is displayed that lets you know the test was successful or, if the test failed, a detailed error message is displayed. It also can display group information retrieved from remote LDAP server for the test user in case of success.