Creating Access Profiles
Use the Access Profile page to configure LDAP server.
To configure LDAP server:
- Select Configure > User Firewall Management > Access Profile.
- Click the + icon.
- Complete the configuration by using the guidelines in Table 1.
- Click Finish.
A Summary page providing a preview of the complete configuration is shown.
- Click OK to complete the configuration or Back to make any modifications.
Table 1: LDAP Server Configuration Parameters
Access Profile Name
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. Maximum length is 255 characters.
Enter a description for the access profile; maximum length is 255 characters.
Configure the order in which the different user authentication methods are tried when a user attempts to log in. For each login attempt, the method for authentication starts with the first one, until the password matches.
The method can be one or more of the following:
Configure the next authentication method if the authentication method included in the authentication order option is not available, or if the authentication is available but returns a reject response.
Add LDAP Server
Enter the IPv4 or hostname of the LDAP authentication server.
Configure the port number on which to contact the LDAP server. The range is 1 through 65,535.
Specify the number of retries that a device can attempt to contact an LDAP server. The range is 1 through 10.
Configure the routing instance used to send LDAP packets to the LDAP server. A routing instance is a collection of routing tables, the interfaces contained in the routing tables, and the routing protocol parameters that control the information in the routing tables.
Configure a source address for each configured LDAP server. Each LDAP request sent to an LDAP server uses the specified source address.
Configure the amount of time that the local device waits to receive a response from an LDAP server. The range is 3 to 90 seconds.
Specify that a user’s LDAP distinguished name is assembled through the use of a common name identifier, the username, and base distinguished name.
Enter a common name identifier used as a prefix for the username during the assembly of the user's distinguished name. For example, uid specifies “ user id,” and cn specifies “common name.”
Base Distinguished Name
Specify the base distinguished name, which can be used in one of the following ways:
The base distinguished name is a series of basic properties that define the user. For example, in the base distinguished name, o=juniper, c=us, where o for organization, and c stands for country.
Specify the amount of time that elapses before the primary server is contacted if a backup server is being used. The range is 60 through 4,294,967,295 seconds.
Specify the name of the filter to find the user's LDAP distinguished name. For example, a filter cn specifies that the search matches a user whose common name is the username.
Perform an LDAP administrator search. By default, the search is an anonymous search. To perform an administrator search, you must specify administrator credentials, which are used in the bind as part of performing the search.
Specify the distinguished name of an administrative user. The distinguished name is used in the bind for performing the LDAP search.
For example, cn=admin, ou=eng, o=juniper, dc=net.
Configure the plain-text password for the administrative user. This password is used in the bind for performing the LDAP search.
Select these devices from the Available column and move them to the Selected column.
You can also search for the devices in the search field in both the Available and Selected columns. You can search these devices by entering the device name, device IP address, or device tag.