LDAP Functionality in Integrated User Firewall Overview
The topics in this section use the term Lightweight Directory Access Protocol (LDAP) to apply specifically to LDAP functionality within the integrated user firewall feature.
This topic includes the following sections:
Understanding the Role of LDAP in an Integrated User Firewall
SRX Series devices use the Lightweight Directory Access Protocol (LDAP) to get user and group information necessary to implement the integrated user firewall feature. The SRX Series device acts as an LDAP client communicating with an LDAP server. In a common implementation scenario, the domain controller acts as the LDAP server. The LDAP module in the SRX Series device, by default, queries the Active Directory in the domain controller.
The SRX Series device downloads user and group lists from the LDAP server. The device also queries the LDAP server for user and group updates. The SRX Series device downloads a first-level, user-to-group mapping relationship and then calculates a full user-to-group mapping.
Understanding the LDAP Server Configuration and Base Distinguished Name
Most of the LDAP server configuration is optional, because the common implementation uses the domain controller as the LDAP server. The SRX Series device periodically (every two minutes) queries the LDAP server to get the user and group information changed since the last query.
The only required LDAP server configuration is the LDAP base distinguished name (DN), which is at the top level of the LDAP directory tree. Microsoft Active Directory follows the convention of deriving the base DN from a company’s Domain Name System (DNS) domain components. An example of a base DN is dc=juniper, dc=net.
LDAP Authentication Method
By default, the LDAP authentication method uses simple authentication. The client’s username and password are sent to the LDAP server in plaintext. Keep in mind that the password is clear and can be read from the network.
To avoid exposing the password, you can use simple authentication within an encrypted channel, namely Secure Sockets layer (SSL), as long as the LDAP server supports LDAP over SSL. After enabling SSL, the data sent from the LDAP server to the SRX Series device is encrypted.
LDAP Server Username, Password, and Server Address
The LDAP server’s username, password, IP address, and port are all optional, but they can be configured.
If the username and password are not configured, the system uses the configured domain controller’s username and password.
If the LDAP server’s IP address is not configured, the system uses the address of one of the configured Active Directory domain controllers.
If the port is not configured, the system uses port 389 for plaintext or port 636 for encrypted text.