Define LDAP domain elements

If you use an external LDAP directory for user management, you must create an LDAP Domain.

After the LDAP Domain is associated with the external server, the Management Server contacts the LDAP directory server or Active Directory Server. You can then view and edit users and user groups through the Management Client.

Note: If you use the Management Server's internal user database, the users and user groups are always stored and managed in the default InternalDomain LDAP Domain.

You can select one LDAP Domain as the global Default LDAP Domain. You can also specify the default LDAP domain for each NGFW Engine in the Engine Editor. Selecting a default LDAP domain allows users belonging to that LDAP Domain to authenticate without specifying the LDAP Domain information. Users in other LDAP Domains must specify their LDAP Domain whenever they authenticate themselves.

If you use administrative Domains, create a separate LDAP Domain in each administrative Domain to create user accounts that are specific to each Domain. You can also use LDAP Domains in different administrative Domains to point to different parts of the directory hierarchy in the same LDAP directory. The internal LDAP directory is always in the Shared Domain, which makes its contents visible in all administrative Domains. You can select one Default LDAP Domain in each administrative Domain. You can also select an LDAP Domain in the Shared Domain as the Default LDAP Domain for all administrative Domains.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to User Authentication.
  2. Right-click Users and select New External LDAP Domain.
  3. In the Name field, enter a name for the LDAP Domain.
  4. Select Default LDAP Domain if this LDAP Domain is used for all authentication unless otherwise specified in the IPv4 Access rules.
    Note: If the LDAP Domain you are creating is not the default LDAP Domain, users must type in the domain name when they authenticate.
    Only one LDAP Domain can be the default LDAP Domain. The previous default LDAP Domain is automatically deselected.
  5. Select a server, then click Add to bind the LDAP Server to the LDAP Domain.
  6. (Optional) On the Default Authentication tab, click Select to define the allowed authentication methods for all accounts in this LDAP Domain.
    Tip: You can override the default setting by selecting different authentication methods in the User Group or User properties.
    We recommend that you set a default authentication method. If the authentication method is not defined yet, you can return to this dialog box to complete the configuration after you create the authentication method.
  7. Click OK.

External LDAP Domain Properties dialog box

Use this dialog box to configure External LDAP Domain elements.

Option Definition
General tab
Name Specifies the name of the LDAP Domain.
Category Shows the assigned category.
Select Opens the Category Selection dialog box.
Comment An optional comment for your own reference.
Default LDAP Domain When selected, specifies that the LDAP Domain is used for all authentication unless otherwise specified in the IPv4 Access rules.
Note: The Default User Domain setting in the Advanced > Authentication settings can override this setting for individual NGFW Engines.
Servers Shows the available servers that can be bound to this LDAP Domain.
Add Adds the selected servers to the Bound Servers list.
Remove Removes the selected servers from the Bound Servers list.
Bound Servers Shows the servers that are bound to this LDAP Domain.
Up Moves the server up the list.
Down Moves the server down the list.
Option Definition
Default Authentication tab
Authentication Method Shows the authentication methods selected for the LDAP Domain.
Note: If you use the Integrated User ID Service for user identification, the supported authentication methods for the External LDAP Domain are user password or LDAP authentication.
Select Opens the Select Element dialog box.