Table of Contents
Advertisement
into the SMA/SRA appliance with LDAP authentication, the username should be provided in the following
ways: If a login name is supplied, that name is used to bind to the tree. If the field is blank, you need to
login with the full name. If the field is filled in with a full login name, users login with the
SMAAccountName.
•
If no attributes are defined, then any user authorized by the LDAP server can be a member of the group.
•
If multiple groups are defined and a user meets all the LDAP attributes for two groups, then the user is
considered part of the group with the most LDAP attributes defined. If the matching LDAP groups have an
equal number of attributes, then the user is considered a member of the group based on the alphabetical
order of the groups.
•
If an LDAP user fails to meet the LDAP attributes for all LDAP groups configured on the SMA/SRA
appliance, then the user is not able to log in to the portal. So the LDAP attributes feature not only allows
the administrator to create individual rules based on the LDAP group or organization, it also allows the
administrator to only allow certain LDAP users to log in to the portal.
Example of LDAP Users and Attributes
If a user is manually added to a LDAP group, then the user setting takes precedence over LDAP attributes.
For example, an LDAP attribute objectClass="Person" is defined for group Group1 and an LDAP attribute
memberOf="CN=WINS Users,DC=sonicwall,DC=net" is defined for Group2.
If user Jane is defined by an LDAP server as a member of the Person object class, but is not a member of the
WINS Users group, Jane is a member of SMA/SRA appliance Group1.
But if the administrator manually adds the user Jane to SMA/SRA appliance Group2, then the LDAP attributes is
ignored and Jane is a member of Group2.
Sample LDAP Attributes
You can enter up to four LDAP attributes per group. The following are some example LDAP attributes of Active
Directory LDAP users:
name="Administrator"
memberOf="CN=Terminal Server Computers,CN=Users,DC=sonicwall,DC=net"
objectClass="user"
msNPAllowDialin="FALSE"
Querying an LDAP Server
If you would like to query your LDAP or Active Directory server to find out the LDAP attributes of your users,
there are several different methods. From a machine with ldap search tools (for example a Linux machine with
OpenLDAP installed) run the following command:
ldapsearch -h 10.0.0.5 -x -D
"cn=demo,cn=users,dc=sonicwall,dc=net" -w demo123 –b
"dc=sonicwall,dc=net" > /tmp/file
Where:
•
10.0.0.5 is the IP address of the LDAP or Active Directory server
•
cn=demo,cn=users,dc=sonicwall,dc=net is the distinguished name of an LDAP user
•
demo123 is the password for the user demo
•
dc=sonicwall,dc=net is the base domain that you are querying
•
> /tmp/file is optional and defines the file where the LDAP query results are saved.
For instructions on querying an LDAP server from a Window server, refer to:
http://technet.microsoft.com/en-us/library/cc783845(v=ws.10).aspx
Dell SonicWALL Secure Mobile Access 8.5
Administration Guide
408
Advertisement
Chapters
Table of Contents
Troubleshooting
