D-Link DFL-260 Product Manual - Page 363
Bind Request Authentication, LDAP Server Responses, Usernames may need the Domain, Optional Settings
UPC - 790069296802
View all D-Link DFL-260 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 363 highlights
8.2.4. External LDAP Servers Chapter 8. User Authentication • Domain Name The Domain Name is used when formatting usernames. This is the first part of the full domain name. In our examples above, the Domain Name is myldapserver. The full domain name is a dot separated set of labels, for example, myldapserver.local.eu.com. This option is only available if the Server Type is NOT set to Other. This option can be left empty but is required if the LDAP server requires the domain name when performing a bind request. Optional Settings There is one optional setting: • Password Attribute The password attribute specifies the ID of the tuple on the LDAP server that contains the user's password. The default ID is userPassword. This option should be left empty unless the LDAP server is being used to authenticate users connecting via PPP with CHAP, MS-CHAPv1 or MS-CHAPv2. When it is used, it determines the ID of the data field in the LDAP server database which contains the user password in plain text. The LDAP server administrator must make sure that this field actually does contain the password. This is explained in greater detail later. Bind Request Authentication LDAP server authentication is automatically configured to work using LDAP Bind Request Authentication. This means that authentication succeeds if successful connection is made to the LDAP server. Individual clients are not distinguished from one another. LDAP server referrals should not occur with bind request authentication but if they do, the server sending the referral will be regarded as not having responded. LDAP Server Responses When an LDAP server is queried by NetDefendOS with a user authentication request, the following are the possible outcomes: • The server replies with a positive response and the user is authenticated. Clients using PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 is a special case and authentication is actually done by NetDefendOS, as discussed later. • The server replies with a negative response and the user is not authenticated. • The server does not respond within the Timeout period specified for the server. If only one server is specified then authentication will be considered to have failed. If there are alternate servers defined for the user authentication rule then these are queried next. Usernames may need the Domain With certain LDAP servers, the domain name may need to be combined with the username when the user is prompted for a username/password combination. 363