Logo

LDAP

Menu path: Configuration > Policies and Access Control > Authentication Sources > Internal > LDAP, or Google Workspace LDAP, or Edirectory.

Three different types of LDAP directories are discussed here:

This form of authentication uses one or more LDAP domain controllers (as defined by the Associated Realms parameter) to authenticate a user. LDAP is used by A3 to interface with Active Directory. Special preparation is necessary to utilize a Google Workspace.

The fields in an AD/LDAP definition in the General tab are:

Field Name Usage Example
Name The name of the authentication source. CorpAD
Description Optional description of the source. Corporate AD authentication
Host A comma-separated list of host name or IP addresses of the AD/LDAP controllers to be queried, along with the port to be used and the type of encryption to be applied. The default port for LDAP is 389 and can change based on the type of encryption used. The choices for encryption are None, SSL, and Start TLS. ad.company.com,ad1.company.com:389 None
Dead Duration The amount of time, in seconds, before the server is considered as non-responsive and retried. When specifying multiple LDAP servers or a DNS name pointing to multiple IPs, this option can be used to offer more consistent fail over. A value of 0 disables this feature. 60
Connection Timeout The timeout, in seconds, for connection establishment to the directory. 1
Request Timeout The timeout, in seconds, for a request acknowledgment from the directory. 5
Response Timeout The timeout, in seconds, for a response from the directory. 10
Base DN The base location in the directory where search queries will be performed. CN=Users,DC=ah-lab,DC=com
Scope

Specifies the extent of the search. The choices are:

  • Base object - only the object at the Base DN
  • One level - only the objects at the same level as the Base DN
  • Subtree - all objects beneath the Base DN
  • Children - the immediate children of the Base DN
Subtree
User Name Attribute The name of the attribute within the records to match against, chosen from a list of attributes. Usually sAMAccountName. sAMAccountName
Search Attributes Other attributes that can be used as the username, chosen from a list of attributes. The radiusd server should be restarted using Status>Services if this changes.  
Append Search Attributes LDAP filter Only used for the generic LDAP definition.
Email Attribute The name of the attribute with the user's email address. mail
Bind DN The user account that performs the lookup in distinguished name (DN) format. For Google Workspace integration, this is the access credential's user name provided in Google Workspace LDAP Integration, step 1. CN=A3User,CN=Users,DC=ah-lab,DC=com
Password The password for the Bind DN. Buttons are provided for visibility and test. The test icon button tests if the settings and password are correct. For Google Workspace integration, this is the access credential's password provided in Google Workspace LDAP Integration, step 1. password
Cache Match If enabled, A3 will cache the results of a matching rule. slider-off icon
Monitor If enabled, A3 will ping the AD server periodically to ensure that it is online and responsive. slider-off icon
Shuffle If there are multiple LDAP/AD servers to query, a random server will be chosen for every lookup request. slider-off icon
Associated Realms The realms associated with the AD authentication source. Realms are discussed in Domains and Realms. default,null
Authentication Rules Indicates when the authentication is triggered and the actions to be performed when the authentication is satisfied. Authentication rules are covered in detail in Authentication Rules.  
Administration Rules Indicates the administrative actions to be performed when the authentication is satisfied. Administration rules are covered in detail in Administration Rules.  

The fields in an AD/LDAP definition in the Client Certificate tab are:

Field Name Usage Example
Client Certificate The path to the client certificate if a client certificate is required. For Google Workspace integration, this is the .crt file text provided in Google Workspace LDAP Integration, step 7.
Client ID The path to the client key if a client certificate is required. For Google Workspace integration, this is the .key file text provided in Google Workspace LDAP Integration, step 7.
CA File The path to the file with additional Certificate Authorities.

Google Workspace LDAP Integration

  1. Sign in as a Google Workspace domain administrator at http://admin.google.com.
  2. Navigate to Apps > LDAP > Add Client.
  3. Enter an LDAP client name and an optional Description. For example, the name could be "A3" and the description could be "A3 LDAP Client".
  4. Select Continue.
  5. Set Access Permissions according to your requirements. The choices are Entire domain (A3) or Selected organization units for both Verify user credentials and Read user information.
  6. Select Add LDAP Client.
  7. Download the generated certificate. This is required by A3 for communication with the Google Secure LDAP service. Save the downloaded certificate for later user. After downloading, select the Continue to Client Details.
  8. Expand the Service Status section, turning the LDAP client ON for every one. After selecting Save, select the Service Status bar again to collapse the section.
  9. Expand the Authentication section and choose Generate New Credentials. Note these credentials for later use. After selecting Close, click on the Authentication bar again to collapse the section.
Note

Note

The AD/LDAP directory used in the Host parameter must have previously been set up using the Configuration>Active Directory Domains page. See Domains and Realms.
Note

Note

When advised to restart any A3 service, the administrative interface for each cluster member must be used individually to perform the operation. Perform the operation on each member one at a time, waiting for the service(s) to completely restart.

Copyright © 2021 Extreme Networks. All rights reserved. Published April 2021.