Skip to main content

Set Private LDAP authentication for Users

Abstract

CloudConnexa supports one form of user authentication at a time. CloudConnexa (Email/Password) authentication is the default user authentication. Private LDAP authentication can be set up for user authentication.

CloudConnexa supports one form of user authentication at a time. CloudConnexa (Email/Password) authentication is the default user authentication. Other means of user authentication are SAML and LDAP. The authentication check is performed, as applicable, whenever the User/Administrator attempts to:

  1. Sign in to the User/Adminstration portal.

  2. Sign in with the OpenVPN Connect app to add a connection Profile.

  3. Connect to WPC using the OpenVPN Connect app.

Note

The Owner will always use the credentials (email and password) set when creating the CloudConnexa account for login, profile download, and connection. This LDAP authentication method applies to Users and Administrators of the WPC.

The LDAP server to be used for authentication must be reachable via CloudConnexa. The LDAP Server can be on a network connected to your WPC, or the Connector software can be installed on DNS Servers to connect them as Hosts to the WPC. Alert notifications can be set for any LDAP connectivity issues.

Once the LDAP Servers are reachable, to use them for the user authentication method, follow the steps below:

Note

Users using the previous authentication method will be suspended upon changing the User Authentication method. For example, if User A was created with SAML authentication and the authentication method is changed to CloudConnexa (Username/Password), User A will be suspended.

  1. Navigate to Settings > User Authentication.

  2. Click Edit, which is located in the top right corner.

  3. Select the Private LDAP option.

  4. Click Configure.

  5. Enter your LDAP Server Authorization parameters, noting that fields marked with an asterisk are mandatory. Refer to Related LDAP Video.

    Note

    If your LDAP server is configured to use anonymous binding, you only need to enter a BaseDN. Check your LDAP server to ensure that the ANONYMOUS LOGON built-in security principal has propagated to your User Group container (for example, Users) and all of its descendant objects. The Username and UserGroup attributes are required.

    Base DN for search

    An LDAP server uses this starting point when searching your directory for Users to authenticate.

    Bind DN

    An object that you bind to in the LDAP server that permits you to authenticate. In this case, the Bind DN is the User trying to authenticate. The Bind DN is required if anonymous binding is disabled on the LDAP server.

    Password

    A password is required if anonymous binding is disabled on the LDAP server.

  6. Enter information for User Attribute Mapping

    Username Attribute

    It is mapped to the CloudConnexa username.

    Caution

    Usernames that include spaces are incompatible with CloudConnexa username

    UserGroup Attribute

    It is mapped to the CloudConnexa User Group name.

    Caution

    Mapping of Microsoft Active Directory Domain Users User Group is unsupported.

    First Name Attribute

    It is mapped as the first name for the CloudConnexa User account.

    Last Name Attribute

    It is mapped as the last name for the CloudConnexa User account.

    Email Attribute

    It is mapped as the email address for the CloudConnexa User account.

  7. Enter the information for your LDAP Server Configuration.

    Primary LDAP Server

    The LDAP server IP address or public domain names. The IP address must belong to a Route in a CloudConnexa Network or equal the Tunnel IP address of a CloudConnexa Host Connector.

    Note

    Private domain names are not supported.

    LDAP Server Connected To

    Select the Network or Host from the drop-down list if you use a hostname for the LDAP server.

    Note

    You must ensure that your DNS server correctly resolves the LDAP server hostname.

    Port

    The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connection with a client.

    Public Certificate

    SSL certificate. CloudConnexa supports SSL certificates in the PEM format with .crt, .pem, .cer, and .key file extensions.

  8. Click Add Secondary LDAP Server if you use LDAP server clustering and want to configure an additional one.

  9. Click Next, which is located in the bottom right.

  10. CloudConnexa will try to reach the LDAP Server. An error will be shown if the test of the LDAP Server configuration fails. You will be unable to proceed till the configuration is fixed. Once the test is successful, click Continue to take you to the next step: User Group Mapping.

  11. Toggle the User Group Sync from LDAP switch to ON.

  12. Click Add Rule.

  13. Enter the value(s) set in the LDAP User Group attribute and select one of the CloudConnexa User Groups from the drop-down it should map to. Provide a Priority to the rule, with 1 being the highest.

    Note

    If the LDAP provided value matches with multiple rules, the one with the highest priority will be used to map the User to the CloudConnexa User Group. If the value does not match with any of the mapping rules, the User will be mapped to the CloudConnexa User Group configured in the Unmapped LDAP User Groups section.

  14. Click Add Rule.

  15. Click Save And Enable LDAP Auth to enable User authentication with LDAP.

On successful authentication, a User will be created and shown in the Users > Users table with the information received from the LDAP Server and mapped as per the Attribute Mapping configuration and User Group Mapping Rules.

Troubleshooting LDAP Configuration

Table 10. Error Messages and Suggested Resolutions

Error Message

Resolution

Cannot resolve domain name. Check your DNS server configuration.

Check that the hostname and DNS server information is correct.

Cannot reach LDAP Server. Check your LDAP Server parameters and that LDAP Server is connected to WPC.

Check that the LDAP server port is correct, that it’s not closed on the LDAP server, and that it’s not blocked by a firewall.

The authentication method is not supported by LDAP. Check your LDAP Server anonymous access.

Check that anonymous binding has been enabled on the LDAP server.

Credentials are invalid. Check your Bind DN and Password.

Check that the LDAP server Bind DN and password information are correct.



Tutorial showing how to set LDAP for user authentication