About Configuring LDAP Authentication
LDAP authentication is one of the methods that can be configured on Web Gateway for authenticating users.
LDAP stands for Lightweight Directory Access Protocol. Under this protocol, the authentication process on Web Gateway can be integrated with an existing directory service in a network. The directory holds user information, which can be queried and used for authentication.
In addition to authenticating a user, a directory can be queried to find other pieces of information about a user and the groups that a user belongs to. These pieces of information are called attributes.
An entry for a user in, for example, the Microsoft Windows Server Active Directory (Active Directory) usually includes a memberOf attribute holding information about the groups that the user belongs to. An entry for a group usually has a member attribute to hold the group members' user names.
The results returned by lookups for both user and group attributes are stored on Web Gateway as the value of the Authentication.UserGroups property.
LDAP authentication process
The process that integrates user authentication on Web Gateway and a directory on an LDAP server includes the following main steps.
- Web Gateway sends an initial bind request with administrator credentials to the LDAP server.
- If the request is successful, Web Gateway sends a query with the user name that the user submits.
The purpose of this query is to find a distinguished name that the user name is mapped to in the directory on the LDAP server. - If a distinguished name is found, the LDAP server sends it back.
The distinguished name (DN) is a combination of information about a user, a user group, and a network domain provided in an LDAP-style syntax.
For example, for the user name jsmith, the LDAP server sends back the distinguished namecn=John Smith,cn=users,dc=ldap,dc=local
. - Web Gateway sends a second bind request to the LDAP server with the purpose of authenticating the user.
This request includes the distinguished name and the password that the user submitted. - If the request is successful, the user is authenticated.
NOTE: You can record the steps of the authentication process in a tcpdump to review them.
Rule for authenticating a user under LDAP
To configure LDAP authentication on Web Gateway, you must implement a rule that authenticates a user in an integrated process with Web Gateway and a directory on an LDAP server.
The rule set library provides a rule set with a default rule that you can modify and use for this purpose. The modified rule looks as follows:
Name Authenticate with LDAP Criteria Action Authentication.Authenticate<LDAP> equals false –> Authenticate<Default>
The rule applies if a user has not yet been authenticated using the LDAP authentication method.
The settings of the Authentication.Authenticate property in this rule are configured to provide the information that is necessary to run the authentication process successfully, including the IP address of the LDAP server and the administrator credentials for Web Gateway.