Configuring LDAP Servers

The LDAP Servers table lets you configure up to 1,200 LDAP servers. The table defines the address and connectivity settings of the LDAP server. The LDAP server can be configured for SIP-related queries (e.g., routing and manipulation) or LDAP-based management user login authentication and authorization (username-password).

The following procedure describes how to configure an LDAP server through the Web interface. You can also configure it through ini file [LdapConfiguration] or CLI (configure system > ldap-configuration).

When you configure an LDAP server, you need to assign it an LDAP Server Group. Therefore, before you can configure an LDAP server in the table, you must first configure at least one LDAP Server Group in the LDAP Server Groups table (see Configuring LDAP Server Groups).

To configure an LDAP server:
1. Open the LDAP Servers table (Setup menu > IP Network tab > AAA Servers folder > LDAP Servers).
2. Click New; the following dialog box appears:

3. Configure an LDAP server according to the parameters described in the table below.
4. Click Apply.

LDAP Servers Table Parameter Descriptions

Parameter

Description

General

'Index'

[Index]

Defines an index number for the new table row.

Note: Each row must be configured with a unique index.

'LDAP Servers Group'

server-group

[Group]

Assigns the LDAP server to an LDAP Server Group, configured in the LDAP Server Groups table (see Configuring LDAP Server Groups).

Note:

The parameter is mandatory and must be set before configuring the other parameters in the table.
Up to two LDAP servers can be assigned to the same LDAP Server Group.

'LDAP Network Interface'

interface-type

[Interface]

Assigns one of the device's IP Interfaces (see Configuring IP Network Interfaces) through which communication with the LDAP server is done.

By default, no value is defined and the device uses the IPv4 OAMP interface.

Note:

The parameter is mandatory.
The IP address version (IPv4 or IPv6) of the assigned IP Interface and the LDAP server's address (see 'LDAP Server IP' parameter below) must be the same.

'Use TLS'

use-tls

[useTLS]

Enables the device to encrypt the username and password (for Control and Management related queries) using TLS when sending them to the LDAP server.

[0] No = (Default) Username and password are sent in clear-text format.
[1] Yes

'TLS Context'

tls-context

[ContextName]

Assigns a TLS Context (TLS configuration) for the connection with the LDAP server.

By default, no value is defined and the device uses the default TLS Context (ID 0).

To configure TLS Contexts, see Configuring TLS Certificates.

Note: The parameter is applicable only if the 'Use TLS' parameter is configured to Yes.

'Verify Certificate'

verify-certificate

[VerifyCertificate]

Enables certificate verification when the connection with the LDAP server uses TLS.

[0] No = (Default) No certificate verification is done.
[1] Yes = The device verifies the authentication of the certificate received from the LDAP server. The device authenticates the certificate against the trusted root certificate store associated with the associated TLS Context (see 'TLS Context' parameter above) and if ok, allows communication with the LDAP server. If authentication fails, the device denies communication (i.e., handshake fails). The device can also authenticate the certificate by querying with an Online Certificate Status Protocol (OCSP) server whether the certificate has been revoked. This is also configured for the associated TLS Context.

Note: The parameter is applicable only if the 'Use TLS' parameter is configured to Yes.

'Verify Certificate Subject Name'

verify-subject-Name

[VerifySubjectName]

Enables the verification of the TLS certificate subject name (Common Name / CN or Subject Alternative Name / SAN) that is used in the incoming connection request from the LDAP server.

[0] Disable = (Default) No verification is done.
[1] Enable = The device verifies the subject name of the certificate received from the LDAP server with the hostname or IP address configured for the LDAP server. If authentication fails, the device denies communication (i.e., handshake fails).

Note: The parameter is applicable only if the 'Use TLS' parameter is configured to Yes.

Connection

'LDAP Server IP'

server-ip

[LdapConfServerIp]

Defines the IP address (IPv4 or IPv6) of the LDAP server.

By default, no IP address is defined.

Note:

The parameter is mandatory.
If you want to use an FQDN for the LDAP server, leave the parameter undefined and configure the FQDN in the 'LDAP Server Domain Name' parameter (see below).
The IP address version (IPv4 or IPv6) of the LDAP server's address and the assigned IP Interface (see 'LDAP Network Interface' parameter above) must be the same.

'LDAP Server Port'

server-port

[LdapConfServerPort]

Defines the port number of the LDAP server.

The valid value range is 0 to 65535. The default port number is 389.

'LDAP Server Max Respond Time'

max-respond-time

[LdapConfServerMaxRespondTime]

Defines the duration (in msec) that the device waits for LDAP server responses.

The valid value range is 0 to 86400. The default is 3000.

Note:

If the response time expires, you can configure the device to use the Local Users table for authenticating the user. For more information, see Configuring Local Database for Management User Authentication.
Activation of this timeout depends on connection type:
Normal TCP connection: The device starts the timer when it sends the LDAP request. If no response is received from the LDAP server within the configured time, the device closes the connection.
TLS connection: The device first performs the TLS handshake and once negotiation completes, it sends the LDAP request. The device starts the timer only from the first TLS message sent during the handshake (and not from the LDAP request).

'LDAP Server Domain Name'

domain-name

[LdapConfServerDomainName]

Defines the domain name (FQDN) of the LDAP server. The device tries to connect to the LDAP server according to the IP address listed in the received DNS query. If there is no connection to the LDAP server or the connection to the LDAP server fails, the device tries to connect to the LDAP server with the next IP address in the DNS query list.

Note:

If you configure the 'LDAP Server IP' parameter, the 'LDAP Server Domain Name' parameter is ignored. Therefore, if you want to use an FQDN, leave the 'LDAP Server IP' parameter undefined.
The IP address version (IPv4 or IPv6) of the DNS-resolved IP addresses and the assigned IP Interface (see 'LDAP Network Interface' parameter above) must be the same.

'Connection Status'

connection-status

[ConnectionStatus]

(Read-only) Displays the connection status with the LDAP server.

"Not Applicable"
"LDAP Connection Broken"
"Connecting"
"Connected"

For more information about a disconnected LDAP connection, see your syslog messages generated by the device.

Query

'LDAP Password'

password

[LdapConfPassword]

Defines the user password for accessing the LDAP server during connection and binding operations.

LDAP-based SIP queries: The parameter is the password used by the device to authenticate itself, as a client, to obtain LDAP service from the LDAP server.
LDAP-based user login authentication: The parameter represents the login password entered by the user during a login attempt. You can use the $ (dollar) sign in this value to enable the device to automatically replace the $ sign with the user's login password in the search filter, which it sends to the LDAP server for authenticating the user's username-password combination. For example, $.

Note:

The parameter is mandatory.
By default, the device sends the password in clear-text format. You can enable the device to encrypt the password using TLS (see the 'Use TLS' parameter in this table).
The password cannot be configured with wide characters.

'LDAP Bind DN'

bind-dn

[LdapConfBindDn]

Defines the LDAP server's bind Distinguished Name (DN) or username.

LDAP-based SIP queries: The DN is used as the username during connection and binding to the LDAP server. The DN is used to uniquely name an AD object. Below are example parameter settings:
cn=administrator,cn=Users,dc=domain,dc=com
administrator@domain.com
domain\administrator
LDAP-based user login authentication: The parameter represents the login username entered by the user during a login attempt. You can use the $ (dollar) sign in this value to enable the device to automatically replace the $ sign with the user's login username in the search filter, which it sends to the LDAP server for authenticating the user's username-password combination. An example configuration for the parameter is $@sales.local, where the device replaces the $ with the entered username, for example, JohnD@sales.local. The username can also be configured with the domain name of the LDAP server.

Note: By default, the device sends the username in clear-text format. You can enable the device to encrypt the username using TLS (see the 'Use TLS' parameter in this table).

'Management Attribute'

mgmt-attr

[MngmAuthAtt]

Defines the LDAP attribute name to query, which contains a list of groups to which the user is a member. For Active Directory, this attribute is typically "memberOf". The attribute's values (groups) are used to determine the user's management access level; the group's corresponding access level is configured in Configuring Access Level per Management Groups Attributes.

Note:

The parameter is applicable only to LDAP-based login authentication and authorization (i.e., the 'Type' parameter is set to Management).
If this functionality is not used, the device assigns the user the configured default access level. For more information, see Configuring Access Level per Management Groups Attributes.

'No Op Timeout'

noop-timeout

[NoOpTimeout]

 

Defines the timeout (in minutes) of inactivity in the connection between the device and the LDAP server, after which the device sends an LDAP "abandon" request to keep the LDAP connection alive (i.e., LDAP persistent connection).

The valid value to enable this feature is any value greater than 0. The default is 0 (i.e., if there is no activity on the connection, the device doesn't send "abandon" requests and the LDAP server may disconnect).

Note: The parameter is applicable only to LDAP connections that are used for routing (i.e., the 'Type' parameter is configured to Control).