I’m running into more cases of people needed to talk to Windows Active Directory to allow valid users to login to the Sonicwall via the SSL-VPN client.
Select the [Configure LDAP…] button.
Insert the NAME [FQDN] or Local IP address of the AD Server. For the “Give login name/location in tree”, the first time your setting this up, you really need to use the administrator [or AD account that acts as the administrator] and the administrator password.
By using the administrator username and password, your now able to get the Schema and Directory.
After clicking on [Read from Server], and assuming the AD server is allowing LDAP connections, you should be able to fill in the Directory information as obtained from the AD server.
The “User tree for login to server” is important. If your running Windows Standard server, chances are the login will look like “localdomain.com\Users”. If your running Windows Small Business Server, aka SBS, then it would look like “localdomain.com\MyBusiness\Users\SBSUsers”. Remember, localdomain.com would be replaced with the name of your domain on your AD server.
Once you have this initial part working, here’s where we can setup some very nice security.
In the directory that is to hold the users, create a LDAP read only user so we can stop using administrator. Also, you can lock down the LDAP read only user for no password expire. In my example, I will call the LDAP read only user LDAP-Read-Only-User. LDAP-Read-Only-User only requires regular domain user privileges, and set the password to “User cannot change password” and “Password never expires”. The nice part is you can now use this LDAP-Read-Only-User not only for the Sonicwall, but for any other device that needs access to the LDAP in a read only mode [example: Printers, VOIP phones, etc].
Now to test… click on … you guessed it… Test … and to test, you can use LDAP-Read-Only-User since you know the password.
So, to conclude, you only need to use the administrator account to setup the Schema and Directory, but once that is set, change over to a “read only” username and password for optimal security.