Using LDAP-bind authentication profiles

You can control how clients are authenticated using third-party configuration properties in LDAP-bind authentication profiles.

About this task

To configure a SafeLinx Server to connect using LDAP-bind, or a combination of methods, create an authentication profile or profiles, then assign them to a connection profile or HTTP access service.

Procedure

  1. Click the Resources tab.
  2. Right-click the OU in which you want to create an authentication profile.
  3. Create an authentication profile. Select Add Resource > Authentication profile > LDAP-bind.
  4. Specify the directory service servers that should be used to perform the LDAP-bind operation. You can select multiple directory servers and balance the load. If a server becomes unavailable, is overloaded, or goes down, the authentication request is rescheduled on one of the other resources.
  5. Using X.500 standard notation, specify the base distinguished name (dn) that is the root or suffix of the directory tree where the search for client authentication resources begins.
  6. Specify the attribute that is used as a key to determine where in the directory tree to search for users in the DSS.
    For example, you can change the user key field to indicate that the DSS search looks for the user (uid) of a user rather than the user email account (mail). The default is mail.
  7. Determine if you want to enable lightweight third-party authentication (LTPA) and single sign-on (SSO). If so, specify the realm (or domain) to encode in the token, attribute to encode the token, lifetime in minutes of the LTPA token, the SSO domain, and whether SSO should use transport layer security (TLS) connections only.
  8. Determine if you want to authenticate SafeLinx Clients based on their Windows login credentials. If so, not the following:
    • On the LDAP Tab of the LDAP-bind authentication profile the User key field should be set to sAMAccountName and the LDAP attribute used for lock status field should be set to userAccountControl.
    • Desktop Windows SafeLinx Clients offer the ability to authenticate to the SafeLinx Server using their Windows Login credentials either before or after the Windows Desktop is presented to the user. Refer to the SafeLinx Client for Windows: User's Guide in the section Using a Windows user ID and password to log in to the SafeLinx Server for details.
  9. Determine if you want to offer SafeLinx Clients access to a restricted session. This option is only available as a secondary authentication method using a Microsoft Windows Server 2003 Active Directory directory service. See Configuring a restricted session for more detail.
  10. Assign the authentication profile to the resource that uses it.

    Edit the properties of the connection profile or HTTP access services. Click the Security tab, then select the Authentication profile that you want.

    When all verifications that are configured pass, the SafeLinx Server finalizes the SafeLinx Client login.