Using LDAP Authentication

Use the information in this section to understand, create, and use LDAP authentication profiles.


How LDAP Authentication Works

Figure 51 illustrates how LDAP authentication can be used to control access to proxy services

Figure 51


Platforms Supported

The following table summarizes the platforms supported for LDAP authentication:


Table 14.

Network Component Software Requirements

Workstation

Any SSL-capable Internet browser

(For NDS single sign-on, Windows 95, 98, NT, or 2000)

Cache Device

Excelerator 2.1 and later

LDAP server

LDAP-compliant database as specified in the profile

Preparing Your Network for LDAP Authentication

Figure 52 summarizes the configuration requirements for LDAP authentication:

Figure 52


Setting Up LDAP Authentication

After you have completed the steps in Preparing Your Network for LDAP Authentication, you can set up an LDAP authentication profile by completing the steps in the following sections.


Creating an LDAP Profile

Complete the following steps:

  1. Define an authentication profile by clicking Cache > Authentication > Insert.

  2. Type a name for the profile in the Authentication Profile Name field.

    IMPORTANT:  Each profile name created on a cache device must be unique. Excelerator doesn't recognize case differences (MyProfile and myprofile are the same name to Excelerator) and it will overwrite and concatenate previously created profiles without warning if a duplicate name is used. For more information, see Authentication Dialog Box.

  3. Select LDAP Authentication > click LDAP Options.

  4. Specify the IP address of the server containing the LDAP-compliant directory in the LDAP Server Address field.

  5. Type the port number on which the LDAP server will listen for requests from the cache device. The default ports are: 389 for non-secure access and 636 for secure (SSL) access.

  6. If the cache device and the server will communicate using SSL, check Enable Secure Access to LDAP Server > click Import Trusted Root > complete the instructions in Importing a Trusted Root to a Cache Device.

    NOTE:  Once you have imported a Trusted Root for one LDAP profile, you can use the same file for multiple LDAP profiles by typing the filename in the LDAP Server Trusted Root File field.

  7. Select an LDAP Login Name Format and complete the instructions in the applicable following section: Use User's E-Mail, Use Distinguished Name, or Use Field Name.


Use User's E-Mail

This options lets users authenticate using their e-mail name stored in the LDAP database. You must specify the LDAP containers from which the e-mail name search should begin and the method the cache device should use to communicate with the LDAP server.

  1. In the Use User's E-mail dialog, create an LDAP search base by clicking Insert and typing an LDAP container from which the e-mail name search should begin.

  2. Insert additional LDAP containers in the search base as required.

  3. If the cache device can authenticate to the LDAP server using anonymous bind, click Use Anonymous Bind for LDAP Search.

  4. If anonymous bind is not enabled on the LDAP server, click Use User Name/Password Bind for LDAP Search > enter the username and password pair through which the appliance will authenticate to the LDAP server before requesting the search.

  5. If you plan to use LDAP groups, complete the instructions in Enabling and Using LDAP Groups. Otherwise, click OK to create the LDAP authentication profile.


Use Distinguished Name

This option lets users authenticate using their LDAP usernames. You can have users enter their fully distinguished (full LDAP context) usernames, or you can provide a list of LDAP contexts so they need only type their usernames.

  1. In the Use Distinguished Name dialog, specify the field name your LDAP directory uses for username information.

    NOTE:  Netscape's iPlanet directory stores usernames in the UID field. Most other LDAP-compliant directories use the CN field. If no value is entered, CN is used by default.

  2. If you want users to be able to log in using only their usernames, insert each of the LDAP contexts of the users who will be authenticating through the authentication profile.

  3. If you plan to use LDAP groups, complete the instructions in Enabling and Using LDAP Groups. Otherwise, click OK to create the LDAP authentication profile.

  4. Click OK.


Use Field Name

This options lets users authenticate using a designated field name stored in the LDAP database. You must specify the field name to be used, the LDAP containers from which the field name search should begin, and the method the cache device should use to communicate with the LDAP server.

  1. In the Use Field Name dialog, type the LDAP field name which users will use to authenticate

  2. Create an LDAP search base by clicking Insert and typing an LDAP container from which the field name search should begin.

  3. Insert additional LDAP containers in the search base as required.

  4. If the cache device can authenticate to the LDAP server using anonymous bind, click Use Anonymous Bind for LDAP Search.

  5. If anonymous bind is not enabled on the LDAP server, click Use User Name/Password Bind for LDAP Search > enter the username and password pair through which the appliance will authenticate to the LDAP server before requesting the search.

  6. If you plan to use LDAP groups, continue with Enabling and Using LDAP Groups. Otherwise, click OK to create the LDAP authentication profile.


Enabling and Using LDAP Groups

You can designate LDAP groups for authentication to Excelerator proxy services by including the LDAP context (parent container) for target groups. Users who are members of the groups will be able to authenticate using only their username.


Designating the Group Class and/or Attribute Name

Each LDAP-compliant directory uses a different mechanism for implementing group support. If you plan to set access control based on LDAP groups, you must also specify how the target directory's schema defines groups.

  1. In the browser-based management tool, click Cache > Authentication > Insert > LDAP Authentication > Options.

    The two fields, LDAP Object Class Group Name and LDAP User Attribute Member, tell Excelerator the mechanism the target directory's schema uses to designate an LDAP group.

    For example, Active Directory uses the LDAP Object Class Group Name group and Novell Directory Services uses the name groupofnames.

  2. If the LDAP group object class name is something other than groupofnames (the name used by Novell Directory Services), enter the object class name in the LDAP Object Class Group Name field.

    For example, for Active Directory you must enter the name group.

  3. Enter the user object attribute name designating group membership in this field.

    For example, Active Directory uses memberof and Novell Directory Services uses groupmembership.

    This field is required for all LDAP group implementations.

  4. After specifying the required group information, click OK to create the LDAP authentication profile.

  5. Assign the profile to one or more proxy services as described in each service tab section in Using the Cache Panel.


Enabling NDS Single Sign-On for an LDAP Authentication Profile

If your LDAP-compatible directory is NDS e-Directory, you can enable NDS single sign-on by completing the following steps:

  1. Complete the instructions in Setting Up and Enabling NDS (eDirectory) Single Sign-On, then return to this procedure.

  2. At the cache device's System prompt, enter the following commands:

    set authentication name ldap tryndssinglesignon=yes

    set authentication name ldap ndssinglesignonreplytime=seconds

    set authentication name ldap ndssinglesignonnoresponsetime=seconds

    where name is the name of the LDAP profile and seconds represents the time the service will wait for responses from the Novell client and NDS server, respectively.

  3. At the command line, enter

    apply