Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


LDAP Functionality in Integrated User Firewall Overview

The topics in this section use the term Lightweight Directory Access Protocol (LDAP) to apply specifically to LDAP functionality within the integrated user firewall feature.

This topic includes the following sections:

Understanding the Role of LDAP in an Integrated User Firewall

SRX Series Firewalls use the Lightweight Directory Access Protocol (LDAP) to get user and group information necessary to implement the integrated user firewall feature. The SRX Series Firewall acts as an LDAP client communicating with an LDAP server. In a common implementation scenario, the domain controller acts as the LDAP server. The LDAP module in the SRX Series Firewall, by default, queries the Active Directory in the domain controller.

The SRX Series Firewall downloads user and group lists from the LDAP server. The device also queries the LDAP server for user and group updates. The SRX Series Firewall downloads a first-level, user-to-group mapping relationship and then calculates a full user-to-group mapping.

Understanding the LDAP Server Configuration and Base Distinguished Name

Most of the LDAP server configuration is optional, because the common implementation uses the domain controller as the LDAP server. The SRX Series Firewall periodically (every two minutes) queries the LDAP server to get the user and group information changed since the last query.

The only required LDAP server configuration is the LDAP base distinguished name (DN), which is at the top level of the LDAP directory tree. Microsoft Active Directory follows the convention of deriving the base DN from a company’s Domain Name System (DNS) domain components. An example of a base DN is dc=juniper, dc=net.

LDAP Authentication Method

By default, the LDAP authentication method uses simple authentication. The client’s username and password are sent to the LDAP server in plaintext. Keep in mind that the password is clear and can be read from the network.

To avoid exposing the password, you can use simple authentication within an encrypted channel, namely Secure Sockets layer (SSL), as long as the LDAP server supports LDAP over SSL. After enabling SSL, the data sent from the LDAP server to the SRX Series Firewall is encrypted.

LDAP Server Username, Password, and Server Address

The LDAP server’s username, password, IP address, and port are all optional, but they can be configured.

  • If the username and password are not configured, the system uses the configured domain controller’s username and password.

  • If the LDAP server’s IP address is not configured, the system uses the address of one of the configured Active Directory domain controllers.

  • If the port is not configured, the system uses port 389 for plaintext or port 636 for encrypted text.