Creating the LDAP Server Profile

When you configure AsyncOS to use LDAP directories, you create an LDAP server profile to store the information about the LDAP server.

Procedure

Step 1

[New Web Interface Only] On the Security Management appliance, click to load the legacy web interface.

Step 2

Choose Management Appliance > System Administration > LDAP.

Step 3

Click Add LDAP Server Profile.

Step 4

Enter a name for the server profile in the LDAP Server Profile Name text field.

Step 5

Enter the host name for the LDAP server in the Host Name(s) text field.

You can enter multiple host names to configure the LDAP servers for failover or load-balancing. Separate multiple entries with commas. For more information, see Configuring AsyncOS to Work With Multiple LDAP Servers.

Step 6

Select an authentication method. You can use anonymous authentication or specify a user name and passphrase.

Note
You need to configure LDAP authentication to view client user IDs instead of client IP addresses on reports. Without LDAP authentication the system can only refer to users by their IP address. Choose the Use Passphrase radio button, and enter the User name and passphrase. The user name will now be seen on the User Mail Summary page.

Step 7

Select the LDAP server type: Active Directory, OpenLDAP, or Unknown or Other.

Step 8

Enter a port number.

The default port is 3268. This is the default port for Active Directory that enables it to access the global catalog in a multi-server environment.

Step 9

Enter a base DN (distinguishing name) for the LDAP server.

If you authenticate with a user name and a passphrase, the user name must include the full DN to the entry that contains the passphrase. For example, a user with an email address of joe@example.com is a user of the marketing group. The entry for this user would look like the following entry:

uid=joe, ou=marketing, dc=example dc=com

  • [Optional - Only if "Validate LDAP Server Certificate" is enabled in LDAP Global Settings]: Check whether the Custom Certificate Authority is uploaded to validate the server certificate.

  • To add the Certificate Authority, use certconfig > CERTAUTHORITY sub command in the CLI. [Optional - Only if "Validate LDAP Server Certificate" is enabled in LDAP Global Settings and FQDN validation enabled in SSL Configuration settings]: Check whether the 'Common Name,' 'SAN: DNS Name' fields, or both present in the server certificate, are in the FQDN format.

  • [Optional - Only if "Validate LDAP Server Certificate" is enabled in LDAP Global Settings]: Check whether the 'Common Name,' or 'SAN: DNS Name' fields, of the server certificate contain Hostname of the server. Reverse DNS name is used if IP is configured in Hostname field.

  • [Optional - Only if the 'Validate LDAP Server Certificate' is enabled in the LDAP Global Settings page and X 509 validation is enabled in the SSL Configuration settings page]: Check for the signature algorithm of the server certificate.

  • [Optional - Only if the 'Validate LDAP Server Certificate' is enabled in the LDAP Global Settings page]: Check whether the server name is present in the 'Common Name' or 'SAN: DNS Name' fields in the server certificate.

  • [Optional - Only if the 'Validate LDAP Server Certificate' is enabled in the LDAP Global Settings page]: Check the server certificate version.

    Note

    Only version 1 and version 3 server certificates are allowed.

Step 10

Under Advanced, select whether to use SSL when communicating with the LDAP server.

Step 11

Enter the cache time-to-live. This value represents the amount of time to retain caches.

Step 12

Enter the maximum number of retained cache entries.

Step 13

Enter a maximum number of simultaneous connections.

If you configure the LDAP server profile for load balancing, these connections are distributed among the listed LDAP servers. For example, if you configure 10 simultaneous connections and load balance the connections over three servers, AsyncOS creates 10 connections to each server, for a total of 30 connections. For more information, see Load Balancing.

Note
The maximum number of simultaneous connections includes LDAP connections used for LDAP queries. However, if you enable LDAP authentication for the spam quarantine, the appliance allows 20 additional connections for the end user quarantine for a total of 30 connections.

Step 14

Test the connection to the server by clicking the Test Server(s) button. If you specified multiple LDAP servers, they are all tested. The results of the test appear in the Connection Status field. For more information, see Testing LDAP Servers.

Step 15

Create spam quarantine queries by selecting the check box and completing the fields.

You can configure the quarantine end-user authentication query to validate users when they log in to the end-user quarantine. You can configure the alias consolidation query so that end-users do not receive quarantine notices for each email alias. To use these queries, select the “Designate as the active query” check box. For more information, see Configuring LDAP Queries.

Step 16

Test the spam quarantine queries by clicking the Test Query button.

Enter the test parameters and click Run Test. The results of the test appear in the Connection Status field. If you make any changes to the query definition or attributes, click Update.

Note
If you have configured the LDAP server to allow binds with empty passphrases, the query can pass the test with an empty passphrase field.

Step 17

Submit and commit your changes.

Active Directory server configurations do not allow authentication through TLS with Windows 2000. This is a known issue with Active Directory. TLS authentication for Active Directory and Windows 2003 does work.

Note
Although the number of server configurations is unlimited, you can configure only one end-user authentication query and one alias consolidation query per server.