• SonicOS 7.1
• About SonicOS
  • Working with SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions
• About User Management
  • Using Local Users and Groups for Authentication
    • About User Databases
    • About User Groups
  • Using RADIUS for Authentication
  • Using LDAP/Active Directory/eDirectory Authentication
    • LDAP Terms
    • LDAP Directory Services Supported in SonicOS
    • LDAP User Group Mirroring
      • Integrating LDAP into the SonicOS Network Security Appliance
        • Preparing Your LDAP Server for Integration
        • Configuring the CA on the Active Directory Server
        • Exporting the CA Certificate from the Active Directory Server
        • Importing the CA Certificate into SonicOS
      • LDAP Group Membership by Organizational Unit
  • Using RADIUS
  • Using TACACS+
  • Using Single Sign-On
    • What is Single Sign-On?
    • Benefits of SonicWall SSO
    • Platforms and Supported Standards
    • How Does Single Sign-On Work?
      • SonicWall SSO Authentication Using the SSO Agent
      • SonicWall SSO Authentication Using the Terminal Services Agent
      • SonicWall SSO Authentication Using Browser NTLM Authentication
    • How Does SSO Agent Work?
      • Logging
    • How Does Terminal Services Agent Work?
      • Multiple TSA Support
      • Encryption of TSA Messages and Use of Session IDs
      • Connections to Local Subnets
      • Non-Domain User Traffic from the Terminal Server
    • How Does Browser NTLM Authentication Work?
      • NTLM Authentication of Domain Users
      • NTLM Authentication of Non-Domain Users
      • Credentials for NTLM Authentication in the Browser
    • How Does RADIUS Accounting for Single-Sign-On Work?
      • RADIUS Accounting Messages
      • SonicWall Compatibility with Third-Party Network Appliances
      • Proxy Forwarding
      • Non-Domain Users
      • IPv6 Considerations
      • RADIUS Accounting Server Port
    • Installing the Single Sign-On Agent and/or Terminal Services Agent
      • Installing the SonicWall SSO Agent
      • Installing the SonicWall Terminal Services Agent
        • Accessing the SonicWall Terminal Services Agent
        • Creating a SonicWall TSA Troubleshooting Report
    • Single Sign-On Advanced Features
      • Viewing SSO Mouseover Statistics
      • Using the Single Sign-On Statistics in the TSR
      • Examining the Agent
      • Remedies
    • Configuring Access Rules
      • Automatically Generated Rules for SonicWall SSO
      • Accommodating Mac and Linux Users
        • Using SSO on Mac and Linux With Samba
        • Using SSO on Mac and Linux Without Samba
      • Allowing ICMP Pings from a Terminal Server
    • Managing SonicOS with HTTP Login from a Terminal Server
    • Viewing and Managing SSO User Sessions
      • Logging Out SSO Users
      • Configuring Additional SSO User Settings
      • Viewing SSO and LDAP Messages with Packet Monitor
      • Capturing SSO Messages
      • Capturing LDAP Over TLS Messages
    • Multiple Administrator Support
      • Preempting Administrators
      • Logging in with Administrator Rights
        • Disabling the User Login Status Popup
      • Configuring Multiple Administrator Support
        • Configuring Additional Administrator User Profiles
        • Configuring Administrators Locally when Using LDAP or RADIUS
        • Verifying Multiple Administrators Support Configuration
        • Viewing Multiple Administrator Related Log Messages
• Configuring Users Status
  • Displaying Inactive Users
  • Displaying Unauthenticated Users
  • Displaying the User Count
  • Refreshing the Users List
  • Logging Out Users
    • Logging Out a Single User
    • Logging Out Multiple Users
• Configuring User Settings
  • User Login Settings
    • Setting the Authentication Method for Login
    • Configuring RADIUS Authentication
      • Configuring RADIUS Settings
      • Configuring RADIUS Users Settings
      • Testing RADIUS Settings
    • Configuring LDAP
      • Configuring LDAP Setting
      • Configuring Referrals
      • LDAP User Settings
      • Enabling LDAP Relay
      • Testing LDAP Settings
    • Configuring TACACS+
      • Configuring TACAS+ Settings
      • Configuring TACACS+ User Settings
      • Testing TACACS+ Settings
    • Requiring User Names be Treated as Case-Sensitive
    • Preventing Users From Logging in from More than One Location
    • Forcing Users to Log In Immediately After Changing Their Passwords
    • Displaying User Login Information Since the Last Login
  • Setting the Single-Sign-On Methods
    • Configuring SSO
      • SSO Agents
      • Users
      • Enforcement
      • Terminal Services
      • NTLM
      • RADIUS Accounting
      • 3rd Party API
      • Capture Client
      • Test
  • One-Time Password Settings
  • Configuring the User Web Login Settings
    • Setting the Timeout for the Authentication Page
    • Setting How the Browser is Redirected
    • Managing Redirections to the Login Page
    • Using a CHAP challenge to Authenticate Users
    • Redirecting Unauthenticated Users
    • Authenticating user's multiple IP addresses
  • Adding URLs to Authentication Bypass
  • User Session Settings
    • User Session Settings for SSO-Authenticated Users
    • User Session Settings for Web Login
  • Accounting
    • Configuring RADIUS Accounting
      • Sending RADIUS Accounting Information to Servers
      • Configuring User Accounting
      • Testing RADIUS Accounting
      • Editing RADIUS Servers
      • Deleting RADIUS Servers
    • Configuring TACACS+ Accounting
      • Configuring User Accounting
      • Testing TACACS Accounting
      • Editing TACACS Servers
      • Deleting TACACS Servers
  • [[[Missing Linked File System.LinkedTitle]]]
    • • Post-Login Acceptable Use Policy Example Template
      • Post-Login Acceptable Use Policy Preview Message
• Configuring and Managing Partitions
  • Authentication Partitioning Settings
  • Authentication Partitions
    • Adding Partitions and Subpartitions
    • Editing Partitions
    • Deleting Partitions and Subpartitions
      • Deleting All Partitions
      • Deleting Multiple Partitions
      • Deleting a Single Partition
  • Assigning Servers, Agents, and Clients
    • Manually Assigning Servers, Agents, and Clients
    • Automatically Assigning Servers, Agents, and Clients
  • Partition Selection Policies
    • Adding Partition Policies
    • Deleting Partitions Policies
      • Deleting All Partitions Policies
      • Deleting Multiple Partitions Policies
      • Deleting a Single Partition Policiy
• Configuring Local Users and Groups
  • About Authentication and Passwords
    • Using Two-Factor Authentication
    • Enforcing First Login Password Change
  • Configuring Local Users
    • Quota Control for all Users
    • Viewing Local Users
    • Adding Local Users
      • Configuring Local Users Settings
      • Configuring Local Users Groups
      • Configuring Local Users VPN Access
      • Configuring Local Users User Quota
    • Editing Local Users
  • Configuring Local Groups
    • Adding Local Groups
      • Configuring Local Groups Settings
      • Configuring Local Group Settings Members
      • Configuring Local Group Settings VPN Access
      • Configuring Local Group Settings Administration
    • Editing Local Groups
  • Settings
• Configuring Guest Services
  • Adding Guest Profiles
  • Editing Guest Profiles
  • Deleting Guest Profiles
• Configuring Guest Accounts
  • Adding Guest Accounts
  • Editing Guest Accounts
  • Deleting Guest Accounts
    • Deleting a Guest Account
    • Deleting Multiple Guest Accounts
    • Deleting All Guest Accounts
• Managing Guest Status
  • Logging Out Guests
  • Logging Out All Guests
• SonicWall Support
  • About This Document

Configuring LDAP Setting

1. Navigate to Device > Users > Settings > Accounting.
2. Next to Configure LDAP, click Configure.

   The LDAP Configuration page is displayed.

3. Under the Settings > LDAP servers tab, click Add Server.

   The Settings page displays.

4. Under Settings, do the following:

   1. Select the one of the LDAP server roles in Role.

      • Primary LDAP server

      • Secondary LDAP server

      • Backup/replica server

   2. In Name or IP Address enter the FQDN or the IP address of the LDAP server against which you wish to authenticate.

      If using a name, be certain it can be resolved by your DNS server. Also, if using TLS with the ‘Require valid certificate from server’ option, the name provided here must match the name to which the server certificate was issued (such as the CN) or the TLS exchange will fail.

   3. In Port Number, select one of the following:

      • Default LDAP over TLS port number (636)
      • Default LDAP port (389)

      • Windows Global Catalog port (3268)

      • Global Catalog over TLS port (3269)

   4. In Server timeout, enter the amount of time, in seconds, that the SonicWALL waits for a response from the LDAP server before timing out.

      Allowable ranges are 1 to 99999 (in case you are running your LDAP server on a VIC-20 located on the moon), with a default of 10 seconds.

   5. In Overall operation timeout (minutes), enter the maximum time to spend on any auto-operation.

   6. Select the Use TLS (SSL), to log in to the LDAP server. This is selected by default.

      It is strongly recommended that TLS be used to protected the username and password information that is sent across the network. Most modern implementations of LDAP server, including AD, support TLS.

   7. Select the Send LDAP ‘Start TLS’ Request.

      Some LDAP server implementations support the Start TLS directive rather than using native LDAP over TLS. This allows the LDAP server to listen on one port (normally 389) for LDAP connections, and to switch to TLS as directed by the client. AD does not use this option, and it should only be selected if required by your LDAP server.

   8. If partitioning has been configured then in the Authentication Partition drop-down menu select the Default.

   9. Click Save.

5. Under Login/Bind do the following:
   1. Select the Anonymous Login option for some LDAP servers allow for the tree to be accessed anonymously.

      If your server supports this (MS AS generally does not), then you could select this option.

   2. If you select Give login name/location in tree provide the following:

      • In Login user name specify a user name that has rights to log in to the LDAP directory.

      • Select the User tree for login to server when Give login name/location in tree is selected this specifies the tree in the directory that holds the user object for the user account configured there for login (bind) to the LDAP server.

      • The password for the user account in Password.

   3. If you select Give bind distinguished name provide the following:

      • In Bind distinguished name specify a user name.

      • The password for the user account in Password.

   4. In When referred to other servers select one of the following:

      • Bind with this account

      • Bind with an equivalent account on that server (same password)

   5. Click Save.

6. Under Schema, do the following:
   1. In LDAP Schema, select the predefined schemas will automatically populate the fields used by that schema with their correct values.

      • Microsoft Active Directory

      • RFC2798 InetOrgPerson

      • RFC2307 Network Information Service

      • Samba SMB

      • Novell eDirectory

      • User defined

        Selecting User defined allows you to specify your own value use this only if you have a specific or proprietary LDAP schema configuration.

   2. In Object class, select which attribute represents the individual user account.
   3. In Attributes, enter the following:
      • Enter Login name
      • Enter Qualified login name to specify an attribute of a user object that sets an alternative login name for the user in name@domain format
      • In User group membership enter the information in the user object of which groups it belongs.
      • In Additional user group ID enter the user group id and select Use.

        If the Additional user group ID user attribute is set and its use is enabled (the Use is enabled) then when a user object is found with one or more instances of this attribute, a search for additional user groups matching those will be made in the LDAP directory. If a group is found with the Additional user group match attribute set to that value then the user will also be made a member of that group.

      • In Framed IP address enter the IP address to retrieve a static IP address that is assigned to a user in the directory.

   4. Click Save.

7. Under Directory, do the following:
   1. In Primary Domain, specify the user domain used by your LDAP implementation.

   2. Click Auto-configure to auto-configure the Trees containing users and Trees containing user groups fields by scanning through the directory/directories looking for all trees that contain user objects.

   3. In Trees containing users add the users. The trees where users commonly reside in the LDAP directory. One default value is provided which can be edited, an up to a total of 64 DN values might be provided, and the SonicWALL search the directory using them all until a match is found, or the list is exhausted. If you have created other user containers within your LDAP or AD directory, you should specify them here.

   4. In Trees containing user groups add the groups. A maximum of 32 DN values might be provided. These are only applicable when there is no user group membership attribute in the schema's user object, and are not used with AD.

   5. Click Save.

8. Click Apply.
9. In General Settings do the following:
   1. In the Protocol version from the drop-down menu select either LDAP version 3 or LDAP version 2.

   2. Select Require valid certificate from server when using TLS to validate the certificate presented by the server during the TLS exchange, matching the name specified above to the name on the certificate.

   3. In the Local certificate for TLS to be used only if the LDAP server requires a client certificate for connections.

   4. Click Apply.

The old, weaker ciphers have been deprecated. From SonicOS 7.1, they have been replaced with more secured cipher suites. They are:

• Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)

• Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)

• Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

• Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

• Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)

• Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)

• Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)

• Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (0xc0af)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CCM (0xc0ad)

• Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CCM_8 (0xc0a3)

• Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CCM (0xc09f)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (0xc05d)

• Cipher Suite: TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (0xc061)

• Cipher Suite: TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 (0xc057)

• Cipher Suite: TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (0xc053)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

• Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

• Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)

• Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (0xc0ae)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CCM (0xc0ac)

• Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CCM_8 (0xc0a2)

• Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CCM (0xc09e)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (0xc05c)

• Cipher Suite: TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (0xc060)

• Cipher Suite: TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 (0xc056)

• Cipher Suite: TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (0xc052)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)

• Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

• Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)

• Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc073)

• Cipher Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc077)

• Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c4)

• Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 (0x00c3)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

• Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

• Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)

• Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (0xc072)

• Cipher Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0xc076)

• Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00be)

• Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 (0x00bd)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

• Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

• Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

• Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)

• Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)

• Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

• Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

• Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

• Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)

• Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)

• Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)

• Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)

• Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)

• Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)

• Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)

• Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)

• Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)

• Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)

• Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

• Cipher Suite: TLS_RSA_WITH_AES_256_CCM_8 (0xc0a1)

• Cipher Suite: TLS_RSA_WITH_AES_256_CCM (0xc09d)

• Cipher Suite: TLS_RSA_WITH_ARIA_256_GCM_SHA384 (0xc051)

• Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

• Cipher Suite: TLS_RSA_WITH_AES_128_CCM_8 (0xc0a0)

• Cipher Suite: TLS_RSA_WITH_AES_128_CCM (0xc09c)

• Cipher Suite: TLS_RSA_WITH_ARIA_128_GCM_SHA256 (0xc050)

• Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

• Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c0)

• Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

• Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00ba)

• Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

• Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)

• Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

• Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)

• Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)

• Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

• Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

• Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)