Configuring LDAP authentication to a Windows 2003 Active Directory Server

Article:TECH83930  |  Created: 2005-01-30  |  Updated: 2006-01-21  |  Article URL http://www.symantec.com/docs/TECH83930
Article Type
Technical Solution


Issue



You need to configure LDAP authentication to a Windows 2003 Server instead of using the Active Directory authentication server type.


Solution




Before you begin: You do not need to make changes on your Active Directory server. You need to know the name and container of an administrative user that can access user accounts and browse your Active Directory server's LDAP tree.


Overview
To configure your security gateway to use LDAP to authenticate users against your Active Directory, you must make the following changes to your security gateway:
  • Create a host record for the Active Directory server.
  • Configure a new authentication server.
  • Create an authentication scheme.

To create a host record for your Active Directory server
  1. On the Active Directory Server, on the Windows desktop, right-click My Computer, and then click Properties.
  2. In the Properties dialog box, on the Computer Name tab, to the right of "Full computer name," find the name of the computer.
  3. Write down the name of the computer.
  4. In the Security Gateway Management Interface (SGMI), in the left pane, under Assets, click Network.
  5. On the DNS tab, add a host record that uses the fully qualified domain name (the name that you wrote down in step 3) and IP address of your Active Directory server.
  6. Click OK
  7. In the SGMI, on the toolbar, click the Activate icon.
  8. When you are asked to save your changes, click Yes.

Your host record is created.

To create the authentication server
  1. In the SGMI, in the left pane, under Assets, click Authentication Servers.
  2. On the Authentication Servers tab, click New > LDAP.
  3. In the Properties dialog, on the General tab, configure the following attributes:

    AttributeValue
    NameServer name. This value is only used on the security gateway.
    SSL-basedLeave this box unchecked.
    Primary ServerFully qualified domain name of the Active Directory server.
    Port389
       
  4. On the Search Parameters tab, in the Base DN (search root) box, type the base DN for your Active Directory.
    All queries start at the base DN level of your domain tree. For example, if your Active Directory domain is symantecexample.com, your base DN is "dc=symantecexample, dc=com"
  5. Optionally, in the Search Filter box, type the following filter:

    &(objectclass=user)(objectcategory=person)

  6. Under "Group membership information used in queries," click User DN.
  7. On the Schema tab, configure the following attributes:

    AttributeValue
    Use Standard LDAPv3 person classLeave this box unchecked.
    User Object Classuser
    User ID attributesAMAccountName
    Group object classgroup
    Primary group attributecn
    Group member attributeMember
       
  8. On the Bind tab, configure the following attributes:

    AttributeValue
    Authenticate to the server using Distinguished Name (DN) and passwordCheck this box if you want to enable this option.
    Server Authentication DNcn=, cn=users, dc=, dc=

    In this command, is the user name for your administrator, is the base name for your domain (for example, "symantecexample"), and is the top level domain name (for example, "com").
    Server Authentication passwordThe password for your administrator account.
       
  9. Click OK.
  10. In the SGMI, on the toolbar, click the Activate icon.
  11. When you are asked to save your changes, click Yes.


Note: An LDAP query to Active Directory does NOT return the PrimaryGroupID attribute (only the "Active Directory" authentication type returns this attribute) of any user. This functionality is because the PrimaryGroupID is a calculated integer value, and requires an intricate LDAP query. With the default Active Directory Primary Group being "Domain Users", this group is NOT returned from the Active Directory server during an LDAP query. When the rules are restricted to groups, and the group in use happens to be the Primary Group of the user(s), the rule fails.

Your authentication server configuration is complete.


Create an authentication scheme
If your users do not have static authentication accounts on your security gateway, then you must create a dynamic authentication scheme. If your users have accounts on the security gateway, then you can create an authentication scheme as you normally would and use the authentication server that you created in the previous procedure.

To create the dynamic authentication scheme
  1. In the SGMI, in the left pane, under Assets, click Authentication Servers.
  2. In the right pane, on the Schemes tab, click New.
  3. In the Properties dialog box, in the Scheme name text box, type dynamic
    The scheme name for this scheme is case-sensitive; you must use all lowercase letters.
  4. In the Authentication column, check the box next to the server that you created in the previous procedure.

Your authentication scheme configuration is complete.


Restrict access based on group membership
You can restrict your user's access to resources according to the groups in the Active Directory to which they belong. To restrict user access according to group membership, you must check the "Group Information" box next to the server in your authentication scheme.

After you enable group information on your scheme, you must create a user group on your security gateway. The group on the security gateway must use the following name convention:

-

where is the name of the authentication server that you created and is the name of the group. For example, to use the "http" group on an Active Directory for which you created an authentication server named "ADServer," give the security gateway group the name "ADServer-http."

After you create the group, you must add the group to the Included User Groups column in your rule properties.

When your user authenticates with the security gateway, the security gateway queries the authentication server for group information. If the group information query returns a null value (for example, when the user is not a member of any group on the server), then the security gateway takes the following actions:
  • If the security gateway does not have a user group named "-none" (where is the name of your authentication scheme), then the security gateway creates a log message to notify you that the authentication failed and that no "-none" group exists. For example, using the "dynamic" authentication scheme, the group is named "dynamic-none".
  • If the "-none" group exists but no unrestricted rules or rules that use the "-none" group exist, then the authentication fails.


Note: When the query returns a null value, the group that the security gateway uses for authentication is the "-none" group. However, when the group information query returns a value, the security gateway uses a group that is named for the authentication server in the format "-". For example, you use the dynamic authentication method to connect with your Active Directory server named "ADServer." The Active Directory server has a group that is named "http." Queries that return null values use the "dynamic-none" group. Queries that return the "http" group use the "ADServer-http" user group.


Unrestricted authentication
If you do not enable your scheme to use group information, then you must create an "-none" group on your security gateway. For example, when you use the dynamic authentication scheme with no group restrictions, you must have a group on the security gateway that is named "dynamic-none." You do not need to use this group in your rules.


Use and test the authentication
You can use the authentication method in rules, user groups for client VPN access, or roles for clientless VPN access. Make sure to activate your changes after you apply the authentication to one or more of these controls.

To test and troubleshoot your authentication method, you can use the cmdlinelogin tool within an SSH connection to your appliance.



References
For information about the cmdlinelogin tool, read How to test authentication from the command line.





Legacy ID



2005113011151954


Article URL http://www.symantec.com/docs/TECH83930


Terms of use for this information are found in Legal Notices