How to Add an LDAP Server in Sophos Firewall

To integrate an LDAP server with your system, follow the steps below. This guide will help you properly configure the LDAP server settings and ensure smooth authentication operations.

Access Authentication Settings

• Navigate to Authentication > Servers
• Click on the Add button to begin the server addition process

Select Server Type

• Choose LDAP server as the server type

Configure the Server Settings

You need to fill in various details about the LDAP server:

• Server Name: Enter a descriptive name for the LDAP server to help identify it easily
• Server IP/Domain: Specify the IP address or domain name of the LDAP server
• Version: Select the LDAP version to use. You can choose either Version 2 or Version 3
  • Note: Google LDAP only supports Version 3

Set Connection Security

Specify the connection security for the LDAP server. Encryption is highly recommended to ensure data security.

• Plaintext: Sends credentials as unencrypted text over the network. Not recommended for secure environments
  • Restriction: Google LDAP does not support plaintext
• SSL/TLS: Uses SSL/TLS to secure the connection between the client and the server
• STARTTLS: This option starts with a non-encrypted connection and then upgrades it to SSL/TLS during or after the initial connection process. It uses the default port

Define Port Settings

You can either specify a custom port for the LDAP connection or stick with the default port setting

Configure Anonymous Login (if applicable)

• Anonymous Login: If enabled, the server allows unauthenticated requests. This should generally be disabled for better security. If disabled, you’ll need to specify a username and password for the server connection
  • Restriction: Google LDAP does not support Anonymous Login
• Bind DN: Enter the Username for the LDAP server in Distinguished Name (DN) format. For example: uid=root,cn=user
• Password: Enter the password associated with the bind DN
• Append Base DN: If needed, use the base DN during the bind operation
  • Note: When using Google LDAP, ensure to turn off the Append Base DN option

Secure Connection Settings

(Optional) These settings are for secure connections and server certificate validation:

• Validate Server Certificate: If using SSL/TLS or another secure connection, you can validate the server certificate
  • Restriction: If enabled, you must provide the CNAME in the Server IP/Domain field as shown in the LDAP server's certificate. If the firewall cannot resolve the CNAME, add a DNS host entry for the domain in Network > DNS > DNS Host Entry
• Client Certificate: If you need to use a specific client certificate for secure communication, select it here. Client certificates can be managed under Certificates
  • Note: When configuring Google LDAP, ensure to use the certificate provided by Google

Base Distinguished Name (DN) Configuration

• Base DN: The Base DN serves as the root for the directory structure. It should be provided in the Distinguished Name (DN) format, for example: O=Example,OU=RnD
• You can use the Get Base DN option to automatically retrieve the Base DN from the directory

Define Authentication and Optional Attributes

• Authentication Attribute: Set the authentication attribute used for user logins, such as the sign-in name used for remote access
• Display Name Attribute: If desired, specify the display name for the server, which will be visible as the server's user name
• Email Address Attribute: Define the email address attribute that will be displayed to users
  • Note: For Google LDAP, the Email Address Attribute is mandatory when creating groups
• Group Name Attribute: Configure the group name attribute if applicable
• Expiry Date Attribute: Optionally, specify the expiry date for user accounts. This helps control the validity of user access

Test the Connection

Before finalizing the setup, it’s important to verify the configuration:

• Click on the Test Connection button to ensure that user credentials are valid and the connection to the server is working properly

Save the Configuration

Once the LDAP server settings are configured and verified:

• Click Save to apply the changes and complete the setup process

By following these steps, you’ll be able to successfully add an LDAP server and configure it for secure and efficient authentication in your network.