6.3.1. LDAP connector

LDAP connector allows you:

  • Get information about users and groups from Active directory or other LDAP servers. . Support of FreeIPA LDAP servers. LDAP users and groups can be used in different security rules.

  • Authorize users via the Active Directory domain/FreeIPA using Captive portal, Kerberos or NTLM.

To create a new authentication server based on Active Directory, click Add, select Add LDAP connector and then specify the following parameters:

Name

Description

Enabled

Enables or disables usage of the specified authentication server

Name

Name of the authentication server

SSL

Specifies whether an SSL connection is needed for communication with the LDAP server.

LDAP domain name or IP address

IP address of the domain controller or domain name (FQDN). When a domain name is used, UserGate will be retrieving IP addresses of domain controllers via DNS queries.

Bind DN ("login")

Username for connecting to the LDAP server. The username must be in the DOMAIN\username or username@domain format. This user must be already created in the domain.

Password

User password for connecting to the domain.

LDAP domains

List of the domains which are handled by the domain controller, e.g. domains of Active Directory tree or forest. You may also add a NetBIOS domain name here.

This list may be displayed on the authorization page of the Captive portal. For details on the Captive portal, please refer to Configuring a Captive portal.

Kerberos keytab

You can upload a Kerberos keytab file here to set up Kerberos-based authentication. For more details on Kerberos, please refer to Kerberos authentication.

Important! It is highly recommended that you upload a keytab file even when you do not need Kerberos-based authentication. In this case, the uploaded keytab file will help retrieve users and groups from LDAP servers via Kerberos and thus dramatically reduce workload for AD servers. When there are 1,000+ elements in AD, uploading a keytab file for Kerberos is mandatory.

Once the server is created, check whether all parameters are correct by clicking Check connection. If all parameters are correct, the system will notify you about it, otherwise the system will display an error message.

The connection to LDAP is completed. To authorize LDAP users, you need to set up identification by username/password (create rules for the Captive portal). For more details on the Captive portal, please refer to the next chapters of this Guide.