Authentication: LDAP
About the Page
Authentication: LDAP allows you to configure authentication for LDAP. LDAP requires the most settings to configure and requires the most specialization in which you must have some basic knowledge of the LDAP syntax. You must also have an LDAP server if you want Access Server to authenticate using the LDAP protocol.
LDAP Settings
In this section, you can enable LDAP authentication, SSL connections, case-sensitive account name matching, and autologin profile behavior.
Enable LDAP authentication
Set the toggle to Yes to enable LDAP as the default authentication or for assigned users and groups. For example, you can create administrators for Access Server that use local authentication, and use LDAP authentication for VPN users.
With the toggle set to No, LDAP authentication isn’t used as an additional authentication method.
Note: You can’t set LDAP as the default authentication on the Authentication: Settings page until you’ve configured LDAP and set this toggle to Yes.
Use SSL to connect to LDAP servers
This setting establishes a secure, SSL-protected connection to the LDAP servers(s) for all LDAP operations.
Account names are case-sensitive
This setting determines whether authentication matches case-sensitivity for the usernames.
Re-verify autologin user on connect
When enabled, this check forces Access Server to check that a user exists in the LDAP directory when connecting with an autologin profile. If disabled, it’s possible that a user downloaded an autologin profile when the user account matched to a user on the LDAP server, but has since been removed from the LDAP directory and could still connect with the autologin profile.
LDAP Server
In this section, you can define settings for Access Server to properly look up user credentials with an LDAP server when attempting to authenticate.
Note: These settings don’t affect the configuration of your LDAP server. Access Server only looks up the provided credentials and grants VPN access if the LDAP server has matching credentials and conditions for access defined in Access Server are met.
Primary Server
Define the primary LDAP server, either as a hostname or IP address.
Secondary Server
(Optional) Define the secondary LDAP server. If present, Access Server attempts to communicate with the secondary server if the connection to the primary server fails.
Credentials for Initial Bind
This setting determines if Access Server will bind to the LDAP server anonymously or with specified credentials for the initial bind. We recommend using credentials as a security best practice.
Base DN for User Entries
Access Server uses this base distinguished name (DN) to perform an LDAP query to find the user's entry.
Username Attribute
The username attribute is the field name from the LDAP attributes of your LDAP server that represents the user ID, such as uid or sAMAccountName.
LDAP filter (optional)
You can use this optional setting to specify a restriction (in LDAP query form) on a user's LDAP entry that must be true for the authentication to succeed. You can use this to require membership in a particular LDAP group (specified by its group DN) for all users permitted to authenticate to the Access Server.
Summary
Authentication: LDAP allows you to configure the settings for authenticating users with an LDAP server. You must define these settings if you want to secure authentication with the constraints defined by your LDAP server. Refer to Access Server LDAP for more information and documentation to connect with LDAP authentication services.