SonicOS 7.1 Users

Configuring LDAP Setting

  1. Navigate to Device > Users > Settings > Accounting.
  2. Next to Configure LDAP, click Configure.

    The LDAP Configuration page is displayed.

  3. Under the Settings > LDAP servers tab, click Add Server.

    The Settings page displays.

  4. Under Settings, do the following:

    1. Select the one of the LDAP server roles in Role.

      • Primary LDAP server

      • Secondary LDAP server

      • Backup/replica server

    2. In Name or IP Address enter the FQDN or the IP address of the LDAP server against which you wish to authenticate.

      If using a name, be certain it can be resolved by your DNS server. Also, if using TLS with the ‘Require valid certificate from server’ option, the name provided here must match the name to which the server certificate was issued (such as the CN) or the TLS exchange will fail.

    3. In Port Number, select one of the following:

      • Default LDAP over TLS port number (636)
      • Default LDAP port (389)
      • Windows Global Catalog port (3268)

      • Global Catalog over TLS port (3269)

    4. In Server timeout, enter the amount of time, in seconds, that the SonicWALL waits for a response from the LDAP server before timing out.

      Allowable ranges are 1 to 99999 (in case you are running your LDAP server on a VIC-20 located on the moon), with a default of 10 seconds.

    5. In Overall operation timeout (minutes), enter the maximum time to spend on any auto-operation.

    6. Select the Use TLS (SSL), to log in to the LDAP server. This is selected by default.

      It is strongly recommended that TLS be used to protected the username and password information that is sent across the network. Most modern implementations of LDAP server, including AD, support TLS.

    7. Select the Send LDAP ‘Start TLS’ Request.

      Some LDAP server implementations support the Start TLS directive rather than using native LDAP over TLS. This allows the LDAP server to listen on one port (normally 389) for LDAP connections, and to switch to TLS as directed by the client. AD does not use this option, and it should only be selected if required by your LDAP server.

    8. If partitioning has been configured then in the Authentication Partition drop-down menu select the Default.

    9. Click Save.

  5. Under Login/Bind do the following:
    1. Select the Anonymous Login option for some LDAP servers allow for the tree to be accessed anonymously.

      If your server supports this (MS AS generally does not), then you could select this option.

    2. If you select Give login name/location in tree provide the following:

      • In Login user name specify a user name that has rights to log in to the LDAP directory.
      • Select the User tree for login to server when Give login name/location in tree is selected this specifies the tree in the directory that holds the user object for the user account configured there for login (bind) to the LDAP server.

      • The password for the user account in Password.
    3. If you select Give bind distinguished name provide the following:

      • In Bind distinguished name specify a user name.

      • The password for the user account in Password.

    4. In When referred to other servers select one of the following:

      • Bind with this account

      • Bind with an equivalent account on that server (same password)

    5. Click Save.

  6. Under Schema, do the following:
    1. In LDAP Schema, select the predefined schemas will automatically populate the fields used by that schema with their correct values.
      • Microsoft Active Directory

      • RFC2798 InetOrgPerson

      • RFC2307 Network Information Service

      • Samba SMB

      • Novell eDirectory

      • User defined

        Selecting User defined allows you to specify your own value use this only if you have a specific or proprietary LDAP schema configuration.

    2. In Object class, select which attribute represents the individual user account.
    3. In Attributes, enter the following:
      • Enter Login name
      • Enter Qualified login name to specify an attribute of a user object that sets an alternative login name for the user in name@domain format
      • In User group membership enter the information in the user object of which groups it belongs.
      • In Additional user group ID enter the user group id and select Use.

        If the Additional user group ID user attribute is set and its use is enabled (the Use is enabled) then when a user object is found with one or more instances of this attribute, a search for additional user groups matching those will be made in the LDAP directory. If a group is found with the Additional user group match attribute set to that value then the user will also be made a member of that group.

      • In Framed IP address enter the IP address to retrieve a static IP address that is assigned to a user in the directory.

    4. Click Save.

  7. Under Directory, do the following:
    1. In Primary Domain, specify the user domain used by your LDAP implementation.
    2. Click Auto-configure to auto-configure the Trees containing users and Trees containing user groups fields by scanning through the directory/directories looking for all trees that contain user objects.

    3. In Trees containing users add the users. The trees where users commonly reside in the LDAP directory. One default value is provided which can be edited, an up to a total of 64 DN values might be provided, and the SonicWALL search the directory using them all until a match is found, or the list is exhausted. If you have created other user containers within your LDAP or AD directory, you should specify them here.

    4. In Trees containing user groups add the groups. A maximum of 32 DN values might be provided. These are only applicable when there is no user group membership attribute in the schema's user object, and are not used with AD.

    5. Click Save.

  8. Click Apply.
  9. In General Settings do the following:
    1. In the Protocol version from the drop-down menu select either LDAP version 3 or LDAP version 2.
    2. Select Require valid certificate from server when using TLS to validate the certificate presented by the server during the TLS exchange, matching the name specified above to the name on the certificate.

    3. In the Local certificate for TLS to be used only if the LDAP server requires a client certificate for connections.

    4. Click Apply.

The old, weaker ciphers have been deprecated. From SonicOS 7.1, they have been replaced with more secured cipher suites. They are:

  • Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)

  • Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)

  • Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

  • Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)

  • Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)

  • Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (0xc0af)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CCM (0xc0ad)

  • Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CCM_8 (0xc0a3)

  • Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CCM (0xc09f)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (0xc05d)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (0xc061)

  • Cipher Suite: TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 (0xc057)

  • Cipher Suite: TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (0xc053)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

  • Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)

  • Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (0xc0ae)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CCM (0xc0ac)

  • Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CCM_8 (0xc0a2)

  • Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CCM (0xc09e)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (0xc05c)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (0xc060)

  • Cipher Suite: TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 (0xc056)

  • Cipher Suite: TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (0xc052)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

  • Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)

  • Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc073)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc077)

  • Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c4)

  • Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 (0x00c3)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

  • Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)

  • Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (0xc072)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0xc076)

  • Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00be)

  • Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 (0x00bd)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  • Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

  • Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)

  • Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)

  • Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  • Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

  • Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)

  • Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)

  • Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)

  • Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)

  • Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)

  • Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)

  • Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)

  • Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)

  • Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)

  • Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

  • Cipher Suite: TLS_RSA_WITH_AES_256_CCM_8 (0xc0a1)

  • Cipher Suite: TLS_RSA_WITH_AES_256_CCM (0xc09d)

  • Cipher Suite: TLS_RSA_WITH_ARIA_256_GCM_SHA384 (0xc051)

  • Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

  • Cipher Suite: TLS_RSA_WITH_AES_128_CCM_8 (0xc0a0)

  • Cipher Suite: TLS_RSA_WITH_AES_128_CCM (0xc09c)

  • Cipher Suite: TLS_RSA_WITH_ARIA_128_GCM_SHA256 (0xc050)

  • Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

  • Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c0)

  • Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

  • Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00ba)

  • Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  • Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)

  • Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  • Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)

  • Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)

  • Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

  • Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

  • Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden