LDAP client authentication failed

Description

One of the most common errors encountered when configuring LDAP is authentication failed. This article will detail what that error means as well as steps to resolving the issue in most LDAP deployments.

Resolution

Authentication to the LDAP server is done through a binding in the form of either a distinguished name or anonymous login. Having an incorrect bind is the most common reason for seeing the Authentication Failed error when attempting to import Users/Groups or test Users/Groups on the SonicWall.

     CAUTION: Not all LDAP deployments support anonymous binding and for security reasons distinguished name is recommended.

     NOTE: The examples in this article will be shown with active directory however all the steps presented will work with and be applicable to any LDAP methodology.

 

Verifying the Bind Account and Settings

  1. Navigate to Users | Settings | Configure LDAP.
  2. On the Settings Tab verify the following information.        
    Name or IP Address: This must point to the LDAP server directly. If necessary verify that the SonicWall can resolve the Server's DNS or simply use an IP address.        
    Port Number: By default this is set to 389 (LDAP) but can be set to 636 (LDAP over TLS). Use 389 when troubleshooting to establish baseline functionality.        
    Server Timeout: Set to 10 Seconds by default. If the LDAP server is reached over a VPN, MPLS, or a routed network then consider increasing this value.        
    Anonymous Login / Login Name / Bind Distinguished Name: Login Name/Distinguished Name can be any User but must be case sensitive.           
      NOTE: When using Active Directory it's usually best to assign a bind the domain admin role. 

    CAUTION: While Special Characters are supported by many LDAP implementations it's best to remove them from any Bind Names and/or Passwords while troubleshooting. 

    Password: It's best to use a simple but secure password for the bind account, longer/complex passwords can cause timeouts between the LDAP server and SonicWall.

 

Verifying the Directory Path

  1. Navigate to Users | Settings | Configure LDAP
  2. On the Directory tab verify the following information.
    Primary Domain: This must exactly match the domain name as shown on the LDAP server. 
    User Tree for Login to Server: This refers to the OU that the Bind resides in. Again this must exactly match what's on the LDAP Server or the SonicWall's bind request will not be authenticated by the server.

 

Configuration Examples

  • In the below examples you can see we're using rowley.com as the Primary Domain and SWAdmin as the Bind. This user resides under rowley.com/Users. This information is then entered on the SonicWall making sure to keep case sensitivity in mind.ImageImage

Related Articles

  • Firewall logs show frequent probe status changes after upgrade
    Read More
  • SSO Agent 4.0: Installation, Configurations, and troubleshooting
    Read More
  • CFS blocks valid sites due to incorrect 64: Not Rated tag
    Read More

Categories

Firewalls
NSa Series
User Login
Firewalls
TZ Series
User Login
Firewalls
NSv Series
User Login
not finding your answers?
Ask the Community
was this article helpful?
YesNo