If you enable LDAPS, you can choose to validate the LDAP server certificate with an imported Certificate Authority (CA) certificate. If you choose to use LDAPS and you specify the DNS name of your server, make sure the search base you specify includes the DNS name of your server. When you select this option, you can also choose whether to enable the LDAPS client to validate the LDAP server certificate, which prevents man-in-the-middle attacks. When you use LDAPS, the traffic between the LDAPS client on your Firebox and your LDAP server is secured by an TLS tunnel. To encrypt user credentials, we recommend that you select Enable LDAPS. LDAP authentication does not hash or encrypt passphrases. LDAP over SSL (LDAPS)īy default, LDAP traffic is unencrypted plain text. For more information about these object classes, see RFC 2256 and RFC 2307. To manage user groups, you can add the object classes member, memberUID, or gidNumber. If you use an OpenLDAP server without the memberOf attribute overlay support, add users to more than one OU, and find that the default Group String setting of memberOf does not return correct group information for your users, you can instead configure the Firebox to use another group attribute. If you also have user group objects in another OU named groups, with user accounts in an OU named accounts, and your domain name is, use the search base dc=example,dc=com. Any user or group you use in the Firebox configuration must be within this OU. To restrict the LDAP search to the Organizational Unit (OU) named as accounts, you can use the search base ou=accounts,dc=example,dc=com. If your domain name is, you can use the search base dc=example,dc=com. When you configure the LDAP authentication method, you set a search base to specify where in the authentication server directories the Firebox can search for an authentication match. Active Directory Global Catalog queries - 3269.You can specify the IP address or the DNS name of your LDAP server. For more information, see Configure Active Directory Authentication. LDAP is an open-standard protocol for use with online directory services.īefore you configure your Firebox for LDAP authentication, review the documentation for your LDAP server to determine whether your installation supports the memberOf (or equivalent) attribute.įor authentication to an Active Directory server, WatchGuard recommends that you configure Active Directory authentication on the Firebox rather than LDAP authentication. You can use an Lightweight Directory Access Protocol (LDAP) authentication server to authenticate users with your Firebox.