Dell SonicWall SRA 4200 Administrator's Manual page 332

Type an inactivity timeout value (in minutes) in the Inactivity Timeout field. Enter 0 (zero) to
Step 14
use the global inactivity timeout setting.
Under Single Sign-On Settings, in the Automatically log into bookmarks list, select one of
Step 15
the following:
•
•
•
•
•
Click Accept when done.
Step 16
LDAP Attribute Information
When configuring LDAP attributes, the following information may be helpful:
•
•
•
•
•
332 | SRA 6.0 Administrator's Guide
As a common example, fill out an attribute field with the memberOf= attribute which can
bundle the following common variable types:
CN= - the common name. DN= - the distinguished name. DC= - the domain component.
You need to provide quote delimiters around the variables you bundle in the memberOf line.
You separate the variables by commas. An example of the syntax using the CN and DC
variables would be:
memberOf="CN=<string>, DC=<string>"
An example of a line you might enter into the LDAP Attribute field, using the CN and DC
variables would be:
memberOf="CN=Terminal Server Computers,CN=Users,DC=sonicwall,DC=net"
Use global policy – Use the global policy for using SSO to login to bookmarks.
User-controlled (enabled by default for new users) – Enable SSO to login to bookmarks
for new users, and allow users to change this setting.
User-controlled (disabled by default for new users) – Disable SSO to login to
bookmarks for new users, and allow users to change this setting.
Enabled – Enable SSO to login to bookmarks
Disabled – Disable SSO to login to bookmarks
If multiple attributes are defined for a group, all attributes must be met by LDAP users.
LDAP authentication binds to the LDAP tree using the same credentials as are supplied for
authentication. When used against Active Directory, this requires that the login credentials
provided match the CN (common name) attribute of the user rather than samAccountName
(login name). For example, if your NT/Active Directory login name is gkam and your full
name is guitar kam, when logging into the SRA appliance with LDAP authentication, the
username should be provided in the following ways: If a login name is supplied, that name
is used to bind to the tree. If the field is blank, you need to login with the full name. If the
field is filled in with a full login name, users will login with the sAMAccountName.
If no attributes are defined, then any user authorized by the LDAP server can be a member
of the group.
If multiple groups are defined and a user meets all the LDAP attributes for two groups, then
the user will be considered part of the group with the most LDAP attributes defined. If the
matching LDAP groups have an equal number of attributes, then the user will be considered
a member of the group based on the alphabetical order of the groups.
If an LDAP user fails to meet the LDAP attributes for all LDAP groups configured on the
SRA appliance, then the user will not be able to log into the portal. So the LDAP attributes
feature not only allows the administrator to create individual rules based on the LDAP group
or organization, it also allows the administrator to only allow certain LDAP users to log into
the portal.