Skip to main content

User Guide - Private LDAP Authentication

Overview

Abstract

CloudConnexa can be configured to use private LDAP authentication.

CloudConnexa can be configured to use private LDAP authentication. This means that the LDAP server is positioned in your private Network, and your Users authenticate with the OpenVPN Connect app using their LDAP username and password credentials.

Prerequisites

Before you can set up private LDAP authentication, you must first either configure a Network and Connector with the same subnet as the LDAP server or create a Host that has a Connector that is installed on the LDAP server. Network and Host Connectors provide an always-on link between the WPC and your Network. In this case, a Connector allows your Users to authenticate with your private LDAP server and sign in to the OpenVPN Connect app.

 

Steps: Create a Network

  1. Sign in to the CloudConnexa Administration portal at https://cloud.openvpn.com.

  2. Navigate to Networks .

  3. Click Add a Network.

  4. Using CIDR notation, add the Network subnet that your LDAP server is located.

    Important

    You must add and launch a Connector to allow authentication traffic to flow to and from the LDAP server. For further information on installing a Connector, refer to: Connecting Networks to CloudConnexa Using Connectors.

Steps: Create a Host

  1. Sign in to the CloudConnexa Administration portal at https://cloud.openvpn.com.

  2. Navigate to Hosts.

  3. Click Add a Host.

  4. Add a host record, including a name that helps to define its purpose.

    Important

    You must add and launch a Connector to allow authentication traffic to flow to and from the LDAP server. For further information on installing a Connector, refer to: Connecting Networks to CloudConnexa Using Connectors.

Steps: Add your LDAP server to CloudConnexa

  1. Sign in to the CloudConnexa Administration portal at https://cloud.openvpn.com.

  2. Select Settings > User Authentication and click Edit.

    user-auth-1.jpg
  3. In the Authenticate Users Using section, click Configure under Private LDAP.

    configure-auth.jpg
  4. Enter your LDAP server parameters, noting that fields marked with an asterisk are mandatory.

    Note

    If your LDAP server is configured to use anonymous binding, you only need to enter a BaseDN. Check your LDAP server to ensure that the ANONYMOUS LOGON built-in security principal has propagated to your User Group container (for example, Users) and all of its descendant objects. The Username and UserGroup attributes are required.

    Bind DN

    An object that you bind to in the LDAP server that gives you permission to authenticate. In this case, the Bind DN is the User trying to authenticate. The Bind DN is required if anonymous binding is disabled on the LDAP server.

    Password

    A password is required if anonymous binding is disabled on the LDAP server.

    Base DN for search

    The starting point that an LDAP server uses when searching your directory for Users to authenticate.

    Username Attribute

    Used for the CloudConnexa account username.

    UserGroup Attribute

    Used for the CloudConnexa User Group name.

    First Name Attribute

    Used as a first name for a CloudConnexa User account.

    Last Name Attribute

    Used as a last name for a CloudConnexa User account.

    Email Attribute

    Used as an email address for a CloudConnexa User account.

  5. Specify the IP address or hostname of your LDAP Server.

    62ead5ad0cffd.png

    Warning

    At the time of publication, CloudConnexa does not support usernames that include a space character. Usernames with a space character can be imported into CloudConnexa, but can't be configured, edited, or deleted.

    Primary LDAP Server

    The LDAP server IP address or hostname. If connectivity to the LDAP server is being routed through a Network, the LDAP server IP address must belong to the same subnet as the Network. If connectivity to the LDAP server is being routed through a Host, you must enter the Host Connector WPC IP address.

    LDAP Server Connected To

    If you use a hostname for the LDAP server, you must select the Network or Host from the drop-down list. Note:

    Note

    You must ensure that the LDAP server hosthame is correctly resolved by your DNS server.

    Port

    LDAP uses its own distinct Network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connection with a client.

    Public Certificate

    SSL certificate. CloudConnexa supports SSL certificates in the PEM format with .crt, .pem, .cer, and .key file extensions.

  6. Click Add Secondary LDAP Server if you are using LDAP server clustering and want to configure an additional LDAP server.

  7. Test your LDAP server connectivity once you have finished configuration.

    62ead5ae547f7.png

Steps: Set up User Group Mapping

62ead5b024102.png

After you have completed the LDAP server configuration, you can set up mapping between your LDAP User Groups and the User Groups in CloudConnexa.

If you enable the LDAP parameter User Group Sync, the User Group value is set according to your LDAP configuration.

Add Rule

You can add a mapping rule to match LDAP User Groups and CloudConnexa User Groups.

LDAP User Groups(s)

The User Groups in your LDAP directory.

CloudConnexa User Groups

The User Groups in your CloudConnexa account.

Any Users from your LDAP User Groups that aren’t mapped to a CloudConnexa User Group are assigned to the default CloudConnexa User Group. You can specify the default CloudConnexa User Group with the drop-down list.

Note

At the time of publication, User Group mapping is not available for the Microsoft Active Directory Domain Users User Group.

Once you have completed the User Group mapping configuration, click Save And Enable LDAP Auth to enable User authentication with LDAP.

Troubleshooting: Error messages during LDAP configuration

Cannot resolve domain name. Check your DNS server configuration.

  • Check that the hostname and DNS server information is correct.

Cannot reach LDAP Server. Check your LDAP Server parameters and that LDAP Server is connected to WPC.

  • Check that the LDAP server port is correct, that it’s not closed on the LDAP server, and that it’s not blocked by a firewall.

The authentication method is not supported by LDAP. Check your LDAP Server anonymous access.

  • Check that anonymous binding has been enabled on the LDAP server.

Credentials are invalid. Check your Bind DN and Password.

  • Check that the LDAP server Bind DN and password information are correct.