Configuring LDAP authentication
Updated: February 1, 2011
Applies To: Unified Access Gateway
This topic describes how to configure an LDAP authentication server on Forefront Unified Access Gateway (UAG).
To configure an LDAP authentication server
In the Forefront UAG Management console, on the Admin menu, click Authentication and Authorization Servers.
On the Authentication and Authorization Servers dialog box, click Add.
In the Server type list, click Netscape LDAP Server, and on the Add Authentication Server dialog box, configure the server settings.
In Server name, enter the name of the server or repository. This name is used when you select the server or repository during the configuration of Forefront UAG. It is also displayed to end-users when they are prompted to select a server during authentication.
In the Connection settings area, click Define, and then on the Servers dialog box, enter the Primary server and Secondary server settings:
IP address/host—IP address or host name of the Netscape LDAP server.
If you select to use an HTTPS port by selecting the Connect to the server using SSL/TLS check box, you must define the domain controller by using the FQDN that is defined in the LDAP server certificate. The Active Directory FQDN of the domain controller appears in the server certificate in either the Common Name (CN) in the Subject field or the DNS entry in the Subject Alternative Name extension.
For details, see How to enable LDAP over SSL with a third-party certification authority (https://go.microsoft.com/fwlink/?LinkId=153598).
Port—Port number of the Netscape LDAP server.
If the port is an HTTPS port, select the Connect to the domain controller using SSL/TLS check box.
Tip
If the authentication server uses a secure port, Forefront UAG uses a secure connection, even if you do not configure a secure port.
In the Search settings area, select how to search for the groups and users that are used for authentication and authorization, as follows:
Next to the Base DN list, click Browse (...), and on the Search Root (Base DN) dialog box, select the search root under which to search for groups and users. You can select the search root in two ways:
From the drop-down list, select one of the search roots.
In Base DN, enter a custom value for the search root.
To include subfolders in the search you define in Base DN, select the Include subfolders check box.
Level of nested groups—Defines whether to search for the user in additional groups to which the user belongs, and the number of nested groups in which to search:
Using the default value, which is 0, the search includes only the groups to which the user belongs directly. For example, if the user John is a member of group QA, the search includes the group QA, but not any of the groups to which QA belongs.
If you enter a value other than 0 in this field, it defines the number of nested groups included in the search. In the above example, if you enter 1, and QA is a member of the R&D group, the search includes both the QA group and the R&D group.
If you leave this field empty, the number of nested groups is unlimited. The search includes all the groups to which the user belongs, both directly and indirectly.
In the Server access area, enter credentials to access the Netscape LDAP server and perform Server Access functions, such as retrieving the users/groups lists, retrieving user information, and changing passwords, as follows:
User—Enter a user name that is used to access the Netscape LDAP server. The user you assign here must have read permissions (or higher) on this server.
Password—Enter the password of the user you define in User.
On the Add Authentication Server dialog box, click OK, and then on the Authentication and Authorization Servers dialog box, click Close.