Setting up LDAP on Sonicwall TZ or NSA devices

June 15, 2017
| No Comments

I’m running into more cases of people needed to talk to Windows Active Directory to allow valid users to login to the Sonicwall via the SSL-VPNĀ  client.

 

Select LDAP + Local Users if you want to use both LDAP and Local users [so you can use the local admin account or any other local account via SSL-VPN]

Select the [Configure LDAP…] button.

 

Insert the NAME [FQDN] or Local IP address of the AD Server. For the “Give login name/location in tree”, the first time your setting this up, you really need to use the administrator [or AD account that acts as the administrator] and the administrator password.

Select LDAP + Local Users if you want to use both LDAP and Local users in the Sonicwall.

 

By using the administrator username and password, your now able to get the Schema and Directory.

Schema… Click on [Read from Server] to obtain AD schema information.

After clicking on [Read from Server], and assuming the AD server is allowing LDAP connections, you should be able to fill in the Directory information as obtained from the AD server.

Here is where we select where the User accounts are kept that we want to verify against. Sonicwall will scan down the Schema tree from that point.

 

The “User tree for login to server” is important. If your running Windows Standard server, chances are the login will look like “localdomain.com\Users”. If your running Windows Small Business Server, aka SBS, then it would look like “localdomain.com\MyBusiness\Users\SBSUsers”. Remember, localdomain.com would be replaced with the name of your domain on your AD server.

 

Once you have this initial part working, here’s where we can setup some very nice security.

 

In the directory that is to hold the users, create a LDAP read only user so we can stop using administrator. Also, you can lock down the LDAP read only user for no password expire. In my example, I will call the LDAP read only user LDAP-Read-Only-User. LDAP-Read-Only-User only requires regular domain user privileges, and set the password to “User cannot change password” and “Password never expires”. The nice part is you can now use this LDAP-Read-Only-User not only for the Sonicwall, but for any other device that needs access to the LDAP in a read only mode [example: Printers, VOIP phones, etc].

 

Change from administrator to LDAP-Read-Only-User for better security.

 

Now to test… click on … you guessed it… Test … and to test, you can use LDAP-Read-Only-User since you know the password.

Test the LDAP-Read-Only-User or any other user that you know the password of.

 

So, to conclude, you only need to use the administrator account to setup the Schema and Directory, but once that is set, change over to a “read only” username and password for optimal security.

 

Active Directory, LDAP, Sonicwall, Windows Server