Version 1.6 HOW-TO GUIDELINES Setting up an External LDAP Server HWTO1SG1.6 - 5/3/02 Stonesoft Corp. Itälahdenkatu 22A, FIN-00210 Helsinki Finland Tel. +358 (9) 4767 11 Fax. +358 (9) 4767 1234 email: [email protected] Copyright © 2002 Stonesoft Corp. All rights reserved. All trademarks or registered trademarks are property of their respective owners. Setting up an External LDAP Server Introduction StoneGate user management system provides an integrated database, but the software also supports the use of existing directory servers in a company. If the company has an existing LDAP directory in place, the StoneGate system uses an LDAP client as part of the management system, which queries the corporate directory for user information. In StoneGate, the LDAP directory serves as a repository for all authentication decisions. The LDAP server can authenticate the user, or a third-party authentication service can be specified. If you want to use an existing corporate LDAP instead of the embedded database of StoneGate, you must first configure an external LDAP server and then define that server in the StoneGate GUI. You must also add certain StoneGate-specific attributes to the LDAP user information. Network Configuration Example This document explains how to configure an external Netscape Directory server and illustrates the setup process with the following case study. The figure below depicts an example network configuration. FIGURE 1.1 Case study Internal network Router FW CVI 192.168.20.1 CVI 212.20.1.1 Hub Management Server 192.168.20.101 Hub Hub CVI 10.2.4.1 193.105.53.130 212.20.1.254 Hub Log Server 192.168.20.102 Netscape LDAP Server Miles 10.2.4.235 VPN Client 193.105.53.142 HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 2 Setting up an External LDAP Server Setup Requirements This setup was established with the following components: • • • • StoneGate v. 1.6 Netscape v. 6 Microsoft Windows 2000 platform Netscape server Family 4.1 setup program HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 3 Setting up an External LDAP Server LDAP Server Installation Setup Options Two different setup options can be separated: • No external LDAP installed External LDAP is optional, you can also use internal LDAP. If you want to use external LDAP, follow the steps below. After that, add users in LDAP. • Existing LDAP userbase Skip the external LDAP server setup and continue from “Launching the Netscape Console” on page 14. Setting Up an External LDAP Server To set up an external LDAP server: 1. 2. Start the setup process by downloading the Netscape Directory Server from the Netscape home site and run the .exe file. The Netscape Server Family 4.1 setup Welcome screen opens. Click Next to continue. ILLUSTRATION 1.1 Netscape Server Family 4.1 setup welcome screen HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 4 Setting up an External LDAP Server 3. The Software License Agreement screen opens. If you accept the license agreement, click Yes to accept and continue. ILLUSTRATION 1.2 Software License Agreement 4. The Select Server or Console Installation screen opens. Select the Netscape Servers or the Netscape Console radio button depending on whether you want to install a new server or you want to use an existing LDAP server, and click Next to continue. ILLUSTRATION 1.3 Select Server or Console Installation HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 5 Setting up an External LDAP Server 5. The Select Installation Type screen opens. Select the setup type you prefer and click Next to continue. ILLUSTRATION 1.4 Select Installation Type 6. The Choose Installation Directory screen opens. Select a correct directory and click Next to continue. ILLUSTRATION 1.5 Choose Installation Directory HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 6 Setting up an External LDAP Server 7. The Select Products screen opens. Select here the products you want to install and click Next to continue. ILLUSTRATION 1.6 Select Products 8. The Directory Server 4.1 screen opens. Select the option depending on whether you want to create a new directory server or use an existing one. Click Next to continue. ILLUSTRATION 1.7 Directory Server 4.1 HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 7 Setting up an External LDAP Server 9. A new Directory Server 4.1 screen opens. Select here the directory server that you want to use and click Next to continue. ILLUSTRATION 1.8 Directory Server 4.1 10. The Directory Server 4.1 Server Settings screen opens. In the Server Identifier field, enter the name that will be used as the LDAP server name in the StoneGate GUI. The name you enter in the Suffix field will be taken as the default value for the User Directory Subtree field in the Console domain properties tab (see Illustration 1.23). Click Next to continue. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 8 Setting up an External LDAP Server ILLUSTRATION 1.9 Directory Server 4.1 Server Settings 11. The Directory Server 4.1 Netscape configuration directory server administrator screen opens. Define the configuration directory server administrator ID and password. Click Next to continue. ILLUSTRATION 1.10 Directory Server 4.1 Netscape configuration directory server administrator 12. The Directory Server 4.1 Administration Domain screen opens. The name specified for the domain must be identical to the domain name given later in the management GUI. Click Next to continue. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 9 Setting up an External LDAP Server ILLUSTRATION 1.11 Directory Server 4.1 Administration Domain 13. The Directory Server 4.1 Directory Manager settings screen opens. Define here the Directory Manager settings. Pay attention to the Directory Manager DN syntax. ILLUSTRATION 1.12 Directory Server 4.1 Directory Manager Settings 14. The Administration Server Port Selection screen opens. A random value is proposed for the administration port. Update it if necessary using the up and down arrows. Click Next to continue. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 10 Setting up an External LDAP Server ILLUSTRATION 1.13 Administration Server Port Selection 15. The Configuration Summary Screen opens. If you are satisfied with the settings, click Next to begin copying files. ILLUSTRATION 1.14 Configuration Summary 16. The Setup Complete screen opens. Select the Restart my computer now radio button and click Finish. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 11 Setting up an External LDAP Server ILLUSTRATION 1.15 Setup Complete 17. After restarting the computer, you must stop the Administration Server and the Directory Server services from the Windows Services panel. ILLUSTRATION 1.16 Services stopped Updating the LDAP schema for StoneGate To update the LDAP schema: 1. The LDAP server has now been installed. Next, you need to copy the correct StoneGate schema file to the configuration directory of the LDAP server. Select:: sg-schema.conf for LDAP server v2 or older and for Netscape sg-v3.schema for LDAP server v3 Copy the file from the StoneGate management ($SGDIR\samples\ldap) to where the LDAP schemas are stored. In Netscape the schema should be stored in the same HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 12 Setting up an External LDAP Server directory as where the file slapd.conf is located. Illustration 1.17 depicts the source directory location and Illustration 1.18 the destination directory location. ILLUSTRATION 1.17 File location ILLUSTRATION 1.18 File destination 2. Next, edit the ns-schema.conf file. Add an include statement for the StoneGate schema file you just copied: ILLUSTRATION 1.19 Editing ns-schema file 3. After the schema update, restart the Administration Server and the Directory Server from the Windows Services panel. ILLUSTRATION 1.20 Restarting services HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 13 Setting up an External LDAP Server Caution: The authentication attribute, defined in the User Services tab of the LDAP Server Properties window, and the definitions in the schema files have to match. Otherwise, an error message will appear when creating users or groups with an authentication service defined. When updating the schema files, you should already know which authentication attribute to use (defined in StoneGate after schema files update). Launching the Netscape Console To launch the Netscape Console: 1. Launch the Netscape Console from Start>Programs>Netscape Server Products>Netscape Console. The Netscape Console dialog box opens on the screen. Fill in your user name, password, and the URL of the administration server you want to access. Click OK to continue. The user name and password you use to log in determine which servers and server operations you can access in Netscape Console. For more information about using the Netscape Console, click the Help button. ILLUSTRATION 1.21 Netscape Console 2. The Netscape Console 4.1 Console tab opens. When you are starting the console for the first time, complete the domain settings by clicking the Edit button. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 14 Setting up an External LDAP Server ILLUSTRATION 1.22 Console tab 3. The Console tab opens with a domain parameters panel on the right. In the field Bind DN, fill in as follows: uid=<Directory Administrator Id> ou=Administrators Note that you have entered the <Directory Administrator Id> and the Bind Password at step 11 (see Illustration 1.10). Click OK to validate the updates. ILLUSTRATION 1.23 Netscape Console 4.1 Console tab, domain parameters HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 15 Setting up an External LDAP Server Caution: Before creating any users, ensure that the external LDAP server is properly installed. All users and groups used in StoneGate should be created through StoneGate, not through Netscape. If created in Netscape, their attribute values will not function correctly. Note: If you need to change the IP address of the LDAP server after the installation, it can be done by editing \netscape\server4\admin-serv\config\local.conf file and line “configuration.nsserveraddress”. You first need to stop the services. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 16 Setting up an External LDAP Server S t o n eG a t e D e f i n i t i o n s Once you have defined the attributes and objects, you must link the external LDAP server settings defined in the Netscape Directory Server to StoneGate. Creating a New LDAP Server Element To create a new LDAP server element: 1. Start in the StoneGate GUI by creating a new LDAP server element. Open the User Manager and click the New LDAP Server icon in the toolbar. ILLUSTRATION 1.24 User Manager 2. In the General tab of the LDAP Server Properties window, define the necessary settings. Note that the server name and port number must be identical to those you defined in the Netscape Directory server settings (see Illustration 1.9). HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 17 Setting up an External LDAP Server ILLUSTRATION 1.25 LDAP Server Properties window General tab 3. Click the User Services tab and make the necessary definitions. In the Bind Password field, make sure to enter the same password as defined in the Netscape Console 4.1 Console tab. Click OK to continue. The values entered here must be identical to the values entered for the domain parameters (see Illustration 1.23). • Base DN: Must be equivalent to User Directory Subtree. • UserId Attribute: The default is cn. Caution: If your external LDAP users are identified by uid, enter here uid. • Authentication Attribute: This is an attribute storing the name of the authentication services allowed for a user. A default value is provided. Caution: If you change the default value, remember also to update the SG schema files accordingly. Otherwise, you will get an error message when creating a user or a group with an authentication service defined. • Bind User ID: Must be identical to the previous Bind DN, appended with: ou=TopologyManagement,o=NetscapeRoot HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 18 Setting up an External LDAP Server • Bind Password: Must be identical to the previous Bind Password. ILLUSTRATION 1.26 LDAP Server Properties window, User Services tab Defining a Domain To define a domain: 1. 2. The next step is to define a new domain. In the User Manager User view, click All. Right-click on “All” and select New>Domain from the contextaul menu that appears. ILLUSTRATION 1.27 User Manager 3. The Domain Properties window appears on the screen. Fill in the fields as follows: HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 19 Setting up an External LDAP Server ILLUSTRATION 1.28 Domain Properties window • Name: The name of the new domain. It must be identical to the 4. 5. domain name set in Illustration 1.11. • Default Domain: Select this check box if you want the new domain to be used as a default domain. • Comment: Additional information Bind the new domain to the external LDAP server created. Select the server from the External LDAP Servers list box and click Add. The server is now bound to the new domain and will appear on the list of Bound Servers at the right. Click OK. The new external LDAP server will appear in the user directory of the StoneGate User Manager. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 20 Setting up an External LDAP Server ILLUSTRATION 1.29 User Manager user directory Creating a User To create a new user: 1. 2. In the User View, select the sub-tree group under which the new user is created. Right-click with the mouse and select New>User from the contextual menu that appears. ILLUSTRATION 1.30 User Manager 3. The User Properties dialog box appears on the screen. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 21 Setting up an External LDAP Server ILLUSTRATION 1.31 User Properties 4. 5. Fill in the following fields: • Username: The name of the user. This is also the user’s userid. • Comment: Descriptive text • DN: Distinguished name; visible only after the user has been created and cannot be edited (view only). • Always Active: When this check box has been selected, the user never expires. • Activation Date: The date from which onwards the new user will be active. If an activation date has been specified, you also have to specify either the expiration date, expiration after delay, or inherited expiration period. • Inherit Expiration Period: The user’s expiration period is inherited from group level. • Expiration After XX days: The number of days after which the user will become inactive counted from the activation date. • Expiration Date: The date on which the user will become inactive. • Member of: Table presenting a list of all groups to which the user belongs. • The domain to which the user belongs is displayed above the Member of: table. Next, open the Authentication tab and define the authentication services that are allowed for the user. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 22 Setting up an External LDAP Server ILLUSTRATION 1.32 User Properties Authentication tab 6. 7. 8. 9. Select an authentication service from the directory of services on the left panel and click Add. The service added will appear on the list of Bound Authentication Services on the right panel. When you have made all the definitions, click OK. The user that you created will appear in the User Directory. The properties that you defined are stored in the external LDAP Server. ILLUSTRATION 1.33 User Manager The External LDAP Server installation has now been completed. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 23 Setting up an External LDAP Server Rule Base Definitions Example The following screenshot from the Security Policy Manager is a basic example showing how to set rules in order to make LDAP authentication active. In this example, firewallinitiated authentication has been used between the intranet and the external network (everything outside the internal network) and client-initiated authentication has been used from the extenal network to the intranet. If the external LDAP server resides on a different network segment than the management server, meaning that LDAP traffic between the management server and the LDAP server has to cross the firewall, the security policy has to allow it. Therefore, as in this example, the first rule is mandatory to allow the management server to retrieve user information from the external LDAP server. If the LDAP traffic does not need to pass the firewall, the rule is not required. Note: Specifying authentication parameters in a rule does not mean that a connection matching this rule is discarded if the authentication fails. In such a case the rule base matching continues in sequence. ILLUSTRATION 1.34 Security Policy Manager, External LDAP Authentication Rule Base HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 24 Setting up an External LDAP Server Verifying that Authentication Works Correctly To verify that client-initiated authentication works correctly: If you do not have an authentication client installed (StoneGate VPN Client), you have to use client-initiated authentication in your rule base (please see the rule base above). 1. Double-click in the Authentication cell of the related rule. The Authentication Parameters dialog box opens. Uncheck the Firewall-Initiated Authentication box, as shown in Illustration 1.35. ILLUSTRATION 1.35 Authentication Parameters 2. Make a Telnet connection on the remote host to the Stonegate firewall CVI address using StoneGate authentication port number 2543. ILLUSTRATION 1.36 Creating a telnet connection 3. Enter the address in the following format: username@domainname (ENTER) password In this example we have used client@stonesoft, password HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 25 Setting up an External LDAP Server ILLUSTRATION 1.37 Access granted 4. After authentication is completed, a connection from the remote host is allowed. In this example, a Chargen session to a host in the Intranet is established. ILLUSTRATION 1.38 Chargen session allowed To verify that firewall-initiated authentication works correctly: You have to have the StoneGate VPN Client installed and running. 1. Double-click in the Authentication cell of the related rule. The Authentication Parameters dialog box opens. Select the Firewall-Initiated Authentication check box, as depicted in Illustration 1.39. ILLUSTRATION 1.39 Authentication Parameters 2. Initiate a session to the remote host. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 26 Setting up an External LDAP Server ILLUSTRATION 1.40 Creating a Telnet connection 3. StoneGate VPN Client is activated and an Authentication Required prompt appears on the screen. Fill in here the Username, Domain, and Password, and click Submit. ILLUSTRATION 1.41 Authentication Required prompt 4. An Access granted message appears on the screen. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 27 Setting up an External LDAP Server ILLUSTRATION 1.42 Authentication Finished 5. Once authentication is completed, a connection from the intranet host is allowed. In this example, a Chargen session to a remote host is established. ILLUSTRATION 1.43 Chargen allowed External LDAP Server setup has now been completed. HWTO1SG1.6 - 5/3/02 HOW-TO GUIDELINES 28
© Copyright 2024