Table of contents
Ⅰ Key points of LDAP configuration
Ⅰ Key points of LDAP configuration
1. Explanation of common LDAP terms
DN: distinguished name. All entries in the LDAP directory have a unique DN
DN has three attributes, namely CN (UID), OU, and DC.
LDAP is a communication protocol, just like HTTP is a protocol! In the LDAP directory:
uid (User ID)
CN (Common Name)
DC (Domain Component)
OU (Organizational Unit)
SN (surname)
An LDAP directory is similar to a file system directory.
The following directories: DC=redmond,DC=wa,DC=microsoft,DC=com ; if we compare it to a file system, it can be regarded as the following file path : Com/Microsoft/Wa/Redmond
For example: CN=test,OU=developer,DC=domainname,DC=com
In the above code, cn=test represents a user name, and ou=developer represents an organizational unit in the active directory.
This sentence describes a complete DN: the test object is in the developer organizational unit of the domainname.com domain (indicates the specific location of the test object).
2. Key points of firewall LDAP server configuration
1. Normally, select [General] for the binding type.
2. Collect LDAP server information:
1) DN of an account with administrator authority [ specific path of the administrator account (DN) = administrator account name (CN or UID) + administrator account storage path (DC) ] , administrator account password; the administrator account is Ordinary accounts that require authentication must at least have query permissions;
server information:
Firewall configuration:
2) The storage path (DC) of the ordinary account, the identification of the ordinary account (CN or UID), in this example, the ordinary account Michael is used as an example
server information:
Firewall configuration:
3. In normal mode, the authentication process between the firewall and LDAP server:
1) Use the configured administrator DN and password to authenticate the LDAP server (bind is the ldap authentication message)
2) After successful authentication, the administrator account searches for the DN of the user who actually requires authentication.
3) After finding the common user DN, submit the actual user authentication request to the LDAP server again
4) After successful authentication, return all group member entries in the group
5) According to the return result of RGFW, if the user submitted in step 3 is one of the members, the authentication is successful.
Ⅱ LDAP user authentication
1. Demand
Internet users need to be authenticated to access the Internet, and user authentication information requires users in the LDAP server for Internet access.
2. Topology diagram
3. Configuration points
1. Add LDAP server
2. Add user group
3. Configure Internet access policies based on user authentication
4. Configuration steps
1. Add LDAP server
Go to Settings User--Remote--LDAP
Click New to add an LDAP server.
Name: Name, you can customize it.
Server/IP: 192.168.1.102, the IP address of the LDAP server.
Server port: Default 389.
Common name: cn, some systems use uid.
Identification name: DC=fei,DC=com // Fill in according to ldap database
Binding type: regular.
User DN, password: account on the ldap server.
After the configuration is completed, you can click the Test button to test, and it will display whether it is successful or not.
Verify that the server is working properly:
NGFW # diagnose test authserver ldap ldap test fei!@#
authenticate 'test' against 'ldap' succeeded!
Group membership(s) - CN=rj,OU=rj,DC=fei,DC=com
2. Add user group
Enter System Management--Set User--User Group, click New
Name: webuser, choose any
Select remote server: LDAP
4. Configure Internet access policies based on user authentication
Enter Firewall--Policy--Policy click New and add Internet access policy as follows
Select to enable the policy based on user authentication, click " Add " to select the user group webuser, available purposes, services, etc.
After adding the user group, the policy is as follows
5. Business testing
Firewall--Policy--Policy When the user opens the browser, the authentication page will pop up first, and the user can enter the user name and password of the user's LDAP account to access the Internet.
View firewall awareness users:
Menu: System Management--Users--Monitor:
Troubleshooting commands:
RG-WALL #diagnose deb enable
RG-WALL #diagnose debug application fnbamd -1 // Note: Before performing the operation, it is recommended to upgrade to the P2 version. If operating under the P1 version, you need to enter print cliovrd enabl4e and press Enter. At the same time, the user logs out and then logs in. You can execute the following commands
Test whether the account is valid:
RG-FW # diagnose test authserver ldap ldap test fei!@# //Authentication type: ldap, Server name: ldap Username: test Password: fei! @#