NETGEAR STM150 - ProSecure Web And Email Threat Management Appliance Reference Manual page 158

How an Active Directory Works
Understanding how a typical Active Directory (AD) works might be of help when you are
specifying the settings for the LDAP and Active Directory domains on the STM.
The following applies to a typical AD:
• Organizational unit (OU), common name (CN), and domain controller (DC) can all be
used to build a search base in the AD. The following applies to the OU and CN
containers:
- An AD administrator can create an OU but cannot create a CN that was built in the AD
server.
- An AD administrator can apply a global policy object (GPO) to an OU but not to a CN.
• An OU is created in the root node (for example, dc=companyname, dc=com) of the
hierarchy. In a company AD, an OU often represents a regional office or department.
• A group is created under cn=users.
• A user is created under each OU so that the user can logically show in a tree of the AD
server.
• A relationship between a group and users is built using their attributes (by default:
member and memberOf). These show in a lookup result.
The following is an example of how to set the search base:
If in a company AD server "cn=users" and "ou=companyname" and both are specified under
"dc=companyname,dc=com," the search base needs to be set as "dc=companyname,dc=
com" in order for the STM to search both users and groups.
If the size limit is exceeded so that "dc=companyname,dc=com" misses some entries during
the lookup process, a user can still be correctly authenticated. However, to prevent the size
limit from being exceeded, an AD administrator needs to set a larger value in the LDAP
server configuration so that the entire list of users and groups is returned in the lookup result.
Another workaround is to use a specific search name or a name with a wildcard in the lookup
process, so that the subset of the entire list is returned in the lookup result.
How to Bind a Distinguished Name in an LDAP Configuration
Understanding how to bind a distinguished name (DN) in an LDAP configuration might be of
help when you are specifying the settings for the LDAP and Active Directory domains on the
STM.
To bind a user with the name Jamie Hanson with the LDAP server:
Note: In this example, the LDAP domain name is ABC.com, and the LDAP
server has the IP address 192.168.35.115 on port 389.
1. On a computer that has access to the Active Directory (AD), open the Active Directory
for Users and Computers.
2. Select the user Jamie Hanson.
158 | Chapter 5. Managing Users, Groups, and Authentication
ProSecure Web/Email Security Threat Management (STM) Appliance