Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQs
Release Notes
Contents  

LDAP Functionality in Integrated User Firewall Overview

The topics in this section use the term Lightweight Directory Access Protocol (LDAP) to apply specifically to LDAP functionality within the integrated user firewall feature.

This topic includes the following sections:

Understanding the Role of LDAP in an Integrated User Firewall

SRX Series devices use the Lightweight Directory Access Protocol (LDAP) to get user and group information necessary to implement the integrated user firewall feature. The SRX Series device acts as an LDAP client communicating with an LDAP server. In a common implementation scenario, the domain controller acts as the LDAP server. The LDAP module in the SRX Series device, by default, queries the Active Directory in the domain controller.

The SRX Series device downloads user and group lists from the LDAP server. The device also queries the LDAP server for user and group updates. The SRX Series device downloads a first-level, user-to-group mapping relationship and then calculates a full user-to-group mapping.

Understanding the LDAP Server Configuration and Base Distinguished Name

Most of the LDAP server configuration is optional, because the common implementation uses the domain controller as the LDAP server. The SRX Series device periodically (every two minutes) queries the LDAP server to get the user and group information changed since the last query.

The only required LDAP server configuration is the LDAP base distinguished name (DN), which is at the top level of the LDAP directory tree. Microsoft Active Directory follows the convention of deriving the base DN from a company’s Domain Name System (DNS) domain components. An example of a base DN is dc=juniper, dc=net.

LDAP Authentication Method

By default, the LDAP authentication method uses simple authentication. The client’s username and password are sent to the LDAP server in plaintext. Keep in mind that the password is clear and can be read from the network.

To avoid exposing the password, you can use simple authentication within an encrypted channel, namely Secure Sockets layer (SSL), as long as the LDAP server supports LDAP over SSL. After enabling SSL, the data sent from the LDAP server to the SRX Series device is encrypted.

LDAP Server Username, Password, and Server Address

The LDAP server’s username, password, IP address, and port are all optional, but they can be configured.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit