User Management
634
SonicOS Enhanced 4.0 Administrator Guide
• Port Number – The default LDAP over TLS port number is TCP 636. The default LDAP
(unencrypted) port number is TCP 389. If you are using a custom listening port on your
LDAP server, specify it here.
• Server timeout – The amount of time, in seconds, that the SonicWALL will wait for a
response from the LDAP server before timing out. Allowable ranges are 1 to 99999 (in case
you’re running your LDAP server on a VIC-20 located on the moon), with a default of 10
seconds.
• Anonymous Login – Some LDAP servers allow for the tree to be accessed anonymously.
If your server supports this (Active Directory generally does not), then you may select this
option.
• Login user name – Specify a user name that has rights to log in to the LDAP directory. The
login name will automatically be presented to the LDAP server in full ‘dn’ notation. This can
be any account with LDAP read privileges (essentially any user account) – Administrative
privileges are not required. Note that this is the user’s name, not their login ID (e.g. John
Smith rather than jsmith).
• Login password – The password for the user account specified above.
• Protocol version – Select either LDAPv3 or LDAPv2. Most modern implementations of
LDAP, including Active Directory, employ LDAPv3.
• Use TLS – Use Transport Layer Security (SSL) to log in to the LDAP server. It is strongly
recommended that TLS be used to protected the username and password information that
will be sent across the network. Most modern implementations of LDAP server, including
Active Directory, support TLS. Deselecting this default setting will display an alert that you
must accept to proceed.
• Send LDAP ‘Start TLS’ Request – Some LDAP server implementations support the Start
TLS directive rather than using native LDAP over TLS. This allows the LDAP server to listen
on one port (normally 389) for LDAP connections, and to switch to TLS as directed by the
client. Active Directory does not use this option, and it should only be selected if required
by your LDAP server.
• Require valid certificate from server – Validates the certificate presented by the server
during the TLS exchange, matching the name specified above to the name on the
certificate. Deselecting this default option will present an alert, but exchanges between the
SonicWALL and the LDAP server will still use TLS – only without issuance validation.
• Local certificate for TLS – Optional, to be used only if the LDAP server requires a client
certificate for connections. Useful for LDAP server implementations that return passwords
to ensure the identity of the LDAP client (Active Directory does not return passwords). This
setting is not required for Active Directory.
If your network uses multiple LDAP/AD servers with referrals, then select one as the
primary server (probably the one that holds the bulk of the users) and use the above
settings for that server. It will then refer the SonicWALL on to the other servers for users in
domains other than its own. For the SonicWALL to be able to log in to those other servers,
each server must have a user configured with the same credentials (user name, password