By default, LDAP communications between client and server applications are not encrypted. This means that it would be possible to use network monitoring device(s) or software to view the communications traveling between the LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) are passed over the network unencrypted. This could quickly lead to the compromise of credentials. By configuring your authentication stage with LDAPS, you can ensure the communication between the client and the server is encrypted and thus strengthens the security of the NetConnect solution.
This section describes how to set up NetConnect to authenticate users against an Active Directory via LDAPS. The following main steps are required.
In order to configure a LDAPS authentication stage in NetConnect, there are several prerequisites which must be in place within your network.
- A server running the Certification Authority (CA) role.
- A configured Active Directory (or other LDAP) server, with a copy of your Root CA installed (if your Certification Authority and AD are running on separate servers)*
- A copy of your Root CA
- Port 636 opened inbound and outbound on your firewall
If needed, details on how to install the Certification Authority role can be found within the following link:
Create an LDAPS Authentication Stage
From the Authentication -> Authentication Stages page, click on the ‘Create’ button, select ‘LDAPS’ and click ‘Next’.
You will be presented with the Basic Information page. Completing the detailed required here will enable you to bind to most Active Directory server. However, additional information may be required depending on your specific setup; in this case, you will be required to enter detail into the Advanced Information section.
The following information is required in order to configure a basic Active Directory Authentication Stage.
|Domain||Enter the domain which the Active Directory is joined to.|
|Domain Controller||Enter either the DNS name or IP address of the Active Directory server.|
|Bind Username||Enter the name of an account with LDAP read access to the full Active Directory hierarchy. We recommend you create an account for this specific purpose.|
|Bind Password||Enter the password of your bind user. Note, if the password for this account changes, this field will need to be updated in order for users to authenticate onto your NetConnect environment.|
Advanced Information (optional)
|Authentication Stage Name||Enter the name of the authentication stage. Note, this will default to your domain name.|
|Authentication Stage Description||Enter a description of your authentication stage. This is optional.|
|Enter the full distinguished name (DN) of your Bind User. Details on how to locate this can be found here.|
|Port||Enter the port number of the Active Directory server. The default value for this field is 636|
|Login Attribute||Enter the name of the login attribute that contains the user’s login name. By default this sAMAccountName. Other attributes can be used, such as UID.|
|Base DN||Specify the point in the directory hierarchy where a search begins. Enter the base DN (or base Object) from which you want to search. By default, this value is determined by the information you enter into the Domain field.|
|Search Filter||Further narrow down the search starting from the base DN by entering a filter(s). This is helpful if two objects have the same user attribute.|
Once you have entered all the required information, you can click ‘Test Connection’ to confirm the Active Directory server can be reached – if this check fails, please confirm the address and bind details are correct. Once you’re happy with your configuration, click ‘Create’. If you wish to use this authentication stage, you will need to click the ‘Activate’ icon and deactivate the local stage.
Upload your Root certificate
The final step from a NetConnect configuration perspective is to install your Root CA. For details on how to complete this, please refer to the Root Certificate Authorities page
Be sure to install any and all required Intermediate Certificates in the same fashion.
Now your LDAPS Authentication Stage has been configured, you can assign licences to your users or configure and assign applications. Alternatively, you may wish to create an additional authentication stage in order to configure multi-factor authentication.