Authentication: LDAP

About the Page

Authentication: LDAP allows you to configure the authentication protocol for LDAP. LDAP requires the most settings to configure and requires the most specialization in which you must have some basic knowledge of the LDAP syntax. You must also have an LDAP server if you want Access Server to authenticate using the LDAP protocol.

LDAP in use

The first section displays whether LDAP is the default authentication method for users and groups. By default, this section displays “LDAP is NOT in use”, and the default authentication method is local. When you set LDAP as the default, it displays “LDAP in use”.

LDAP Settings

In this section, you can define settings for Access Server to properly look up user credentials with an LDAP server when attempting to authenticate.

Note: These settings don’t affect the configuration of your LDAP server. Access Server only looks up the provided credentials and grants VPN access if the LDAP server has matching credentials and conditions for access defined in Access Server are met.

Allow LDAP authentication

Set the toggle to Yes for allowing LDAP authentication for assigned users and groups in addition to the default authentication method. For example, you can create administrators for Access Server that use local authentication, and use LDAP authentication for VPN users.

With the toggle set to No, LDAP authentication isn’t used as an additional authentication method.

Note: If you set LDAP as the default authentication, your users and groups assigned to the default method authenticate against LDAP, whether or not this toggle is set to Yes.

Primary Server

Define the primary LDAP server, either as a hostname or IP address.

Secondary Server

(Optional) Define the secondary LDAP server. If present, Access Server attempts to communicate with the secondary server if the connection to the primary server fails.

Use SSL to connect to LDAP servers

This setting establishes a secure, SSL-protected connection to the LDAP servers(s) for all LDAP operations.

Case-sensitive Login

This setting determines whether authentication matches case-sensitivity for the usernames.

Credentials for Initial Bind

This setting determines if Access Server will bind to the LDAP server anonymously or with specified credentials for the initial bind. We recommend using credentials as a security best practice.

Base DN for User Entries

Access Server uses this base distinguished name (DN) to perform an LDAP query to find the user's entry.

Username Attribute

The username attribute is the field name from the LDAP attributes of your LDAP server that represents the user ID, such as uid or sAMAccountName.

Perform check if an account is valid and allowed for VPN usage

When enabled, this check forces Access Server to check that a user exists in the LDAP directory when connecting with an autologin profile. If disabled, it’s possible that a user downloaded an autologin profile when the user account matched to a user on the LDAP server, but has since been removed from the LDAP directory and could still connect with the autologin profile.

Additional LDAP Requirements

You can use this optional setting to specify a restriction (in LDAP query form) on a user's LDAP entry that must be true for the authentication to succeed. You can use this to require membership in a particular LDAP group (specified by its group DN) for all users permitted to authenticate to the Access Server.

Summary

Authentication: LDAP allows you to configure the settings for authenticating users with an LDAP server. You must define these settings if you want to secure authentication with the constraints defined by your LDAP server. Refer to Access Server LDAP for more information and documentation to connect with LDAP authentication services.