New/Edit LDAP Servers Tab

Use this page to configure connections to an LDAP server.

  • You must click Save to save these settings. The Test Connection button verifies the connection, but does not save your settings.

  • Red asterisks mark required fields.

Type

Active Directory.

This is not configurable; Windows Active Directory is the only LDAP directory type that is currently supported.

Domain name

The domain name for this LDAP server.

Server

LDAP Server address.

This can be a specific server name (myserver.mydomain.com), an IP address (10.10.123.123), or the domain address (mydomain.com).

Port

Port used by the LDAP server.

3268 is the default, and is standard for Active Directory global catalog for non-secure connections (LDAP).

3269 is the default for secure Active Directory global catalog for secure connections (LDAPS).

Use of the default global catalog ports is recommended for better performance. For connections without using global catalog, 389 is standard for non-secure connections and 636 is standard for secure connections.

Advanced domain settings

Clicking Advanced domain settings expands the display to show the following options. Use these settings to customize how Reflection Gateway manages user authentication to this LDAP server. For additional information, see LDAP Server Advanced Domain Settings.

Advanced domain settings apply to password authentication only; X.509 certificate authentication always requires user mapping that specifies both a domain and username.

Domain mappings

If you have multiple LDAP servers configured, you can use this option to map the value in Domain name to these servers. This can improve performance, because Reflection Gateway authenticates first against the servers you specify here.

Remove user domain

When set to Yes, any domain name the user enters at login is removed before Reflection Gateway authenticates the user to this LDAP server. For example, if a user enters acme\joe, the domain name acme is removed. If no Default user domain is specified, only the user ID joe is sent to the server for authentication.

Default user domain

Specifies a default domain name to include when Reflection Gateway authenticates users to this LDAP server. For example, if you specify domain1 and a user logs in as user_name, the user is authenticated as domain1\user_name. This can be used in combination with Remove user domain to replace any domain name that the user includes with the value you specify here.

UserID

Name of a user who has read access to this LDAP directory.

NOTE:You must include the user's domain. For example:

mydomain\user

user@mydomain

user@mydomain.com

Password

The LDAP user's password

Base DN

The base DN under which users are located.

For example:

OU=Users,DC=mydomain,DC=com

LDAP Filter

(Optional) Limits the list of users added to Gateway Administrator to those included in the specified filter. If no filter is specified, all users in the specified Base DN are added.

Use standard LDAP filter syntax. This example retrieves users in the group myGroup:

(|(&(objectCategory=user)(memberOf=CN=myGroup,OU=Users,DC=mydomain,DC=com))(&(objectCategory=group)(CN=myGroup)))

Secure Connection

Select this option to connect to the server using LDAP over SSL (LDAPS).

To make a successful secure connection, you must enable Secure Connection, provide the correct Port for LDAPS connections to this server (the port changes to 3269 by default), and use Add Certificate to browse to the certificate for this server. After you retrieve a certificate, information about that certificate will be displayed on the page.