D-Link NetDefendOS User Manual page 621

dot separated set of labels, for example, myldapserver.local.eu.com.
This option is only available if the Server Type is NOT set to Other.
This option can be left empty but is required if the LDAP server requires the domain name
when performing a bind request.
Optional Settings
There is one optional setting:
• Password Attribute
The password attribute specifies the ID of the tuple on the LDAP server that contains the
user's password. The default ID is userPassword.
This option should be left empty unless the LDAP server is being used to authenticate users
connecting via PPP with CHAP, MS-CHAPv1, MS-CHAPv2 or when using SSL VPN.
When it is used, it determines the ID of the data field in the LDAP server database which
contains the user password in plain text. The LDAP server administrator must make sure that
this field actually does contain the password. This is explained in greater detail later.
When LDAP is used with SSL VPN, the Password Attribute must be specified as userPassword or
Description based on the setting for the Agent option in the user authentication rule object.
Bind Request Authentication
LDAP server authentication is automatically configured to work using LDAP Bind Request
Authentication. This means that authentication succeeds if successful connection is made to the
LDAP server. Individual clients are not distinguished from one another.
LDAP server referrals should not occur with bind request authentication but if they do, the server
sending the referral will be regarded as not having responded.
LDAP Server Responses
When an LDAP server is queried by NetDefendOS with a user authentication request, the
following are the possible outcomes:
• The server replies with a positive response and the user is authenticated.
Clients using PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 is a special case and authentication
is actually done by NetDefendOS, as discussed later.
• The server replies with a negative response and the user is not authenticated.
• The server does not respond within the Timeout period specified for the server. If only one
server is specified then authentication will be considered to have failed. If there are alternate
servers defined for the user authentication rule then these are queried next.
Usernames may need the Domain
With certain LDAP servers, the domain name may need to be combined with the username when
621
Chapter 8: User Authentication