Use The Ldap Authentication Test Feature; Configure Groups For Ldap Authentication - Watchguard Firebox X15 User Manual

8. In the LDAP Server Port text box, type the port number the Firebox X Edge will use for connections to
the LDAP server. The default LDAP server port number is 389. Usually you do not have to change this
number.
9. Use the LDAP Timeout drop-down list to select the number of seconds to use as a timeout for any
LDAP operation.
10. In the Search Base text box, type the base in the LDAP directory to start the search for user account
entries. This must be a legitimate LDAP DN (Distinguished Name). A Distinguished Name is a name that
uniquely identifies an entry in an LDAP directory. A DN includes as many qualifiers as it must to find an
entry in the directory. For example, a DN can look like this: ou=user accounts,dc=mycompany,dc=com
You can find more information about how to find your search base at:
www.watchguard.com/support/faq.
11. If you select Standard LDAP as the LDAP server type, you must enter a Login Attribute Name and
Group Attribute Name in the appropriate text boxes. These text boxes do not appear if you select
Active Directory as the LDAP server type.
The Login Attribute Name is the name of the login name attribute of user entries in the LDAP
directory.
The Group Attribute Name is the name of the group membership attribute of user entries in the LDAP
directory.
12. Select the Enable Single Sign-On (SSO) check box. For information on SSO, see
13. Click Submit.

Use the LDAP authentication test feature

After the Firebox X Edge e-Series is configured to use LDAP authentication, you can use the LDAP
authentication test feature to make sure the Edge can connect to the LDAP server. You can use the test for a
specified user account to make sure that the Edge can successfully send and receive authentication requests
for that user.
To use the test feature, click Test LDAP Account and type the name and password of an LDAP user account.
The user name must be typed in the domain\user name format, such as mycompany\admin.
The results of the authentication attempt are shown on the screen. If the authentication is successful, the User
Permissions section shows the access rights for this user account.

Configure groups for LDAP authentication

Account privileges for users that authenticate to an LDAP server are set based on group membership. The
group that the user is in sets all privileges for that user except Mobile VPN with IPSec. Mobile VPN with IPSec
privileges must be set at the user level.
The name you give to a group on the Firebox X Edge must match the name of the group assigned to user
entries in the LDAP directory. On the Edge, there is a built-in default group. The settings of the default group
apply to any LDAP user that does not belong to any group configured on the Edge. You can change the
properties of the default group, but you cannot delete the default group.
If a user belongs to more than one group, the privileges for that user are set to the least restrictive settings of
all groups to which the user belongs. In WebBlocker, the least restrictive profile is the profile with the lowest
number of blocked categories. For a more general example, a group admins allows administrative access, but
the group powerusers gives read-only access, and the group everyone gives no administrative access. A user
that belongs to all three groups gets administrative access because it is the least restrictive setting of the three.
User Guide
User and Group Management
About Single Sign-On.
197