Adding LDAP-bind authentication profiles

Add an LDAP-bind authentication profile to provide the SafeLinx Server with information about how to connect directly with an LDAP server to authenticate users.

Before you begin

Before you add an LDAP-bind authentication profile, create a directory server resource that defines a connection to an LDAP server. For more information, see Configuring a directory server.

About this task

After you create the authentication profile, assign it to an HTTP access service or connection profile.

Procedure

  1. Right-click the OU in which you want to create an authentication profile, then click Add Resource > Authentication profile > LDAP-bind Authentication.
  2. To configure the profile, provide values in the Add a New Authentication Profile wizard for the fields in Table 1. You can complete all of the fields now, or leave most fields blank and then open the profile properties later to complete the configuration. Only the Common name field is mandatory to add the profile.
    Table 1.
    Request Windows credentials from GINA? If this authentication profile defines a connection to an Active Directory server to be used by Windows SafeLinx Clients, you might want to select this field. For more information, see Using LDAP-bind authentication profile with Windows Integrated Login.
    Common name
    Password policy Choose a password policy from the list. Password policies set rules for constructing and using wireless passwords and specify the number of unsuccessful log-ins attempts that can occur before a user account is locked. For more information, see Wireless password policies.
    Challenge string Type any special text that you want to display in the title bar of windows that prompt users to submit credentials. If you leave the field blank, the window displays the name of the authentication profile.
    Include realm in authentication request Select this field if user authentication requests sent to the LDAP server are required to include the fully-qualified realm. If the realm string is required, type the domain suffix to append to user IDs in the Default realm field.
    Backup authentication profile Specify one or more authentication profiles to be used if the LDAP directory for this profile is not available.
    Directory server The LDAP server resource that the SafeLinx uses to process authentications for this profile.
    User key field Specifies the LDAP attributes that SafeLinx searches for in the directory to validate the IDs that users submit when they log in. By default, the mail attribute is used, but you can use other valid user attributes

    You can chain multiple user key fields together to improve the chances of successful authentication. For example, if you specify the values mail,uid,cn together, SafeLinx submits a single query to the LDAP server that searches against each attribute in turn. Thus, it first searches for a match against the mail attribute, and if no match is found, it searches next against the uid field, and so forth.

    If you use Microsoft Active Directory as the directory server, you must use specific values needed in the User key field.
    LDAP attribute for lock status Specify the attribute that the LDAP server uses to indicate that a user account is locked. The SafeLinx Server uses this attribute to query the directory server after a login failure to determine if a user account is locked.
    Additional search criteria Use X.500 notation to specify other attributes that the SafeLinx Server searches for along with the attribute that is specified in the User key field. For example, if you want to restrict access to employees in certain job categories with specific job status, you might specify (&(employeeType=regular)(&(employeeStatus=active))). A user is authenticated only if the user record includes all of the attributes that you specify. Use this field to require that a user includes the attributes you specify
    Maximum number of processing threads Specifies the number of threads that Mobile can use to process account lookup operations. Allocate one thread for every 25 clients that log in or log out each second. Thus, for a SafeLinx Server that receives 100 authentication requests per second, you would set the value to 4. The maximum value is 10 threads..
    Restricted session filters This field does not apply to HTTP access services.
    Enable LTPA Select this field if you want the authentication profile to generate Lightweight Third Party Authentication tokens to establish sharing of trusted user credentials. LTPA token lifetime. If you configure the authentication profile for LTPA, complete following other fields:
    Enable SSO
    Select this field to enable single sign-on among servers in a specified domain through the use of LTPA tokens to share authentication credentials.
    SSO Cookie domain
    Type the name of the DNS domain in which single sign-on is used.
    Note: If this authentication profile is assigned to an HTTP access service that specifies a session cookie domain, the value in this field is ignored.
    .
    Enable SSO over SSL connections only
    Select this field if you want to require secure connections between computers that participate in single sign-on.
    Service port to include in LTPA token
    The LDAP server port number to include in LTPA tokens.
  3. In the Directory Server field, select the LDAP servers that authenticate clients.
  4. Using X.500 standard notation, specify the root or suffix of the directory tree where the search for client authentication resources begins.
  5. User key field Specify the attribute that is used as a key to determine where in the directory tree to search for users in the DSS. For example, you can change the user key field to indicate that the DSS search looks for the user ID (uid) rather than the user email account (mail). The default value is mail.
  6. Assign this authentication profile to an HTTP access service or connection profile.
    1. Open the properties of the HTTP access service and click the Mode page, or open the properties of the connection profiles and click the Security page.
    2. In the Authentication profile field. click the common name that you assigned to the authentication profile.