HOW-TO GUIDELINES Setting up an External LDAP Server Version 1.6

Version 1.6
HOW-TO GUIDELINES
Setting up an External LDAP Server
HWTO1SG1.6 - 5/3/02
Stonesoft Corp. Itälahdenkatu 22A, FIN-00210 Helsinki Finland
Tel. +358 (9) 4767 11 Fax. +358 (9) 4767 1234 email: [email protected]
Copyright © 2002 Stonesoft Corp. All rights reserved.
All trademarks or registered trademarks are property of their respective owners.
Setting up an External LDAP Server
Introduction
StoneGate user management system provides an integrated database, but the software
also supports the use of existing directory servers in a company. If the company has an
existing LDAP directory in place, the StoneGate system uses an LDAP client as part of
the management system, which queries the corporate directory for user information. In
StoneGate, the LDAP directory serves as a repository for all authentication decisions.
The LDAP server can authenticate the user, or a third-party authentication service can
be specified. If you want to use an existing corporate LDAP instead of the embedded
database of StoneGate, you must first configure an external LDAP server and then
define that server in the StoneGate GUI. You must also add certain StoneGate-specific
attributes to the LDAP user information.
Network Configuration Example
This document explains how to configure an external Netscape Directory server and
illustrates the setup process with the following case study. The figure below depicts an
example network configuration.
FIGURE 1.1
Case study
Internal network
Router
FW
CVI 192.168.20.1
CVI 212.20.1.1
Hub
Management Server
192.168.20.101
Hub
Hub
CVI 10.2.4.1
193.105.53.130
212.20.1.254
Hub
Log Server
192.168.20.102
Netscape LDAP Server
Miles 10.2.4.235
VPN Client
193.105.53.142
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
2
Setting up an External LDAP Server
Setup Requirements
This setup was established with the following components:
•
•
•
•
StoneGate v. 1.6
Netscape v. 6
Microsoft Windows 2000 platform
Netscape server Family 4.1 setup program
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
3
Setting up an External LDAP Server
LDAP Server Installation
Setup Options
Two different setup options can be separated:
• No external LDAP installed
External LDAP is optional, you can also use internal LDAP. If you want to use
external LDAP, follow the steps below. After that, add users in LDAP.
• Existing LDAP userbase
Skip the external LDAP server setup and continue from “Launching the Netscape
Console” on page 14.
Setting Up an External LDAP Server
To set up an external LDAP server:
1.
2.
Start the setup process by downloading the Netscape Directory Server from the
Netscape home site and run the .exe file.
The Netscape Server Family 4.1 setup Welcome screen opens. Click Next to continue.
ILLUSTRATION 1.1 Netscape Server Family 4.1 setup welcome screen
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
4
Setting up an External LDAP Server
3.
The Software License Agreement screen opens. If you accept the license agreement,
click Yes to accept and continue.
ILLUSTRATION 1.2 Software License Agreement
4.
The Select Server or Console Installation screen opens. Select the Netscape Servers or the
Netscape Console radio button depending on whether you want to install a new server
or you want to use an existing LDAP server, and click Next to continue.
ILLUSTRATION 1.3 Select Server or Console Installation
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
5
Setting up an External LDAP Server
5.
The Select Installation Type screen opens. Select the setup type you prefer and click
Next to continue.
ILLUSTRATION 1.4 Select Installation Type
6.
The Choose Installation Directory screen opens. Select a correct directory and click
Next to continue.
ILLUSTRATION 1.5 Choose Installation Directory
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
6
Setting up an External LDAP Server
7.
The Select Products screen opens. Select here the products you want to install and
click Next to continue.
ILLUSTRATION 1.6 Select Products
8.
The Directory Server 4.1 screen opens. Select the option depending on whether you
want to create a new directory server or use an existing one. Click Next to continue.
ILLUSTRATION 1.7 Directory Server 4.1
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
7
Setting up an External LDAP Server
9.
A new Directory Server 4.1 screen opens. Select here the directory server that you want
to use and click Next to continue.
ILLUSTRATION 1.8 Directory Server 4.1
10.
The Directory Server 4.1 Server Settings screen opens. In the Server Identifier field, enter
the name that will be used as the LDAP server name in the StoneGate GUI. The
name you enter in the Suffix field will be taken as the default value for the User
Directory Subtree field in the Console domain properties tab (see Illustration 1.23).
Click Next to continue.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
8
Setting up an External LDAP Server
ILLUSTRATION 1.9 Directory Server 4.1 Server Settings
11.
The Directory Server 4.1 Netscape configuration directory server administrator screen
opens. Define the configuration directory server administrator ID and password.
Click Next to continue.
ILLUSTRATION 1.10 Directory Server 4.1 Netscape configuration directory server administrator
12.
The Directory Server 4.1 Administration Domain screen opens. The name specified for
the domain must be identical to the domain name given later in the management
GUI. Click Next to continue.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
9
Setting up an External LDAP Server
ILLUSTRATION 1.11 Directory Server 4.1 Administration Domain
13.
The Directory Server 4.1 Directory Manager settings screen opens. Define here the
Directory Manager settings. Pay attention to the Directory Manager DN syntax.
ILLUSTRATION 1.12 Directory Server 4.1 Directory Manager Settings
14.
The Administration Server Port Selection screen opens. A random value is proposed for
the administration port. Update it if necessary using the up and down arrows. Click
Next to continue.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
10
Setting up an External LDAP Server
ILLUSTRATION 1.13 Administration Server Port Selection
15.
The Configuration Summary Screen opens. If you are satisfied with the settings, click
Next to begin copying files.
ILLUSTRATION 1.14 Configuration Summary
16.
The Setup Complete screen opens. Select the Restart my computer now radio button
and click Finish.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
11
Setting up an External LDAP Server
ILLUSTRATION 1.15 Setup Complete
17.
After restarting the computer, you must stop the Administration Server and the
Directory Server services from the Windows Services panel.
ILLUSTRATION 1.16 Services stopped
Updating the LDAP schema for StoneGate
To update the LDAP schema:
1.
The LDAP server has now been installed. Next, you need to copy the correct
StoneGate schema file to the configuration directory of the LDAP server. Select::
sg-schema.conf for LDAP server v2 or older and for Netscape
sg-v3.schema for LDAP server v3
Copy the file from the StoneGate management ($SGDIR\samples\ldap) to where
the LDAP schemas are stored. In Netscape the schema should be stored in the same
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
12
Setting up an External LDAP Server
directory as where the file slapd.conf is located. Illustration 1.17 depicts the source
directory location and Illustration 1.18 the destination directory location.
ILLUSTRATION 1.17 File location
ILLUSTRATION 1.18 File destination
2.
Next, edit the ns-schema.conf file. Add an include statement for the StoneGate
schema file you just copied:
ILLUSTRATION 1.19 Editing ns-schema file
3.
After the schema update, restart the Administration Server and the Directory Server
from the Windows Services panel.
ILLUSTRATION 1.20 Restarting services
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
13
Setting up an External LDAP Server
Caution: The authentication attribute, defined in the User Services tab of the LDAP Server
Properties window, and the definitions in the schema files have to match. Otherwise, an
error message will appear when creating users or groups with an authentication service
defined.
When updating the schema files, you should already know which authentication
attribute to use (defined in StoneGate after schema files update).
Launching the Netscape Console
To launch the Netscape Console:
1.
Launch the Netscape Console from Start>Programs>Netscape Server
Products>Netscape Console. The Netscape Console dialog box opens on the screen. Fill
in your user name, password, and the URL of the administration server you want to
access. Click OK to continue. The user name and password you use to log in
determine which servers and server operations you can access in Netscape Console.
For more information about using the Netscape Console, click the Help button.
ILLUSTRATION 1.21 Netscape Console
2.
The Netscape Console 4.1 Console tab opens. When you are starting the console for
the first time, complete the domain settings by clicking the Edit button.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
14
Setting up an External LDAP Server
ILLUSTRATION 1.22 Console tab
3.
The Console tab opens with a domain parameters panel on the right.
In the field Bind DN, fill in as follows:
uid=<Directory Administrator Id>
ou=Administrators
Note that you have entered the <Directory Administrator Id> and the Bind
Password at step 11 (see Illustration 1.10). Click OK to validate the updates.
ILLUSTRATION 1.23 Netscape Console 4.1 Console tab, domain parameters
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
15
Setting up an External LDAP Server
Caution: Before creating any users, ensure that the external LDAP server is properly installed.
All users and groups used in StoneGate should be created through StoneGate, not
through Netscape. If created in Netscape, their attribute values will not function
correctly.
Note:
If you need to change the IP address of the LDAP server after the installation, it can
be done by editing \netscape\server4\admin-serv\config\local.conf file and line
“configuration.nsserveraddress”. You first need to stop the services.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
16
Setting up an External LDAP Server
S t o n eG a t e D e f i n i t i o n s
Once you have defined the attributes and objects, you must link the external LDAP
server settings defined in the Netscape Directory Server to StoneGate.
Creating a New LDAP Server Element
To create a new LDAP server element:
1.
Start in the StoneGate GUI by creating a new LDAP server element. Open the User
Manager and click the New LDAP Server icon in the toolbar.
ILLUSTRATION 1.24 User Manager
2.
In the General tab of the LDAP Server Properties window, define the necessary settings.
Note that the server name and port number must be identical to those you defined in
the Netscape Directory server settings (see Illustration 1.9).
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
17
Setting up an External LDAP Server
ILLUSTRATION 1.25 LDAP Server Properties window General tab
3.
Click the User Services tab and make the necessary definitions. In the Bind Password
field, make sure to enter the same password as defined in the Netscape Console 4.1
Console tab. Click OK to continue.
The values entered here must be identical to the values entered for the domain
parameters (see Illustration 1.23).
• Base DN: Must be equivalent to User Directory Subtree.
• UserId Attribute: The default is cn.
Caution: If your external LDAP users are identified by uid, enter here uid.
• Authentication Attribute: This is an attribute storing the name of the
authentication services allowed for a user. A default value is provided.
Caution: If you change the default value, remember also to update the SG schema files
accordingly. Otherwise, you will get an error message when creating a user or a group
with an authentication service defined.
• Bind User ID: Must be identical to the previous Bind DN, appended
with: ou=TopologyManagement,o=NetscapeRoot
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
18
Setting up an External LDAP Server
• Bind Password: Must be identical to the previous Bind Password.
ILLUSTRATION 1.26 LDAP Server Properties window, User Services tab
Defining a Domain
To define a domain:
1.
2.
The next step is to define a new domain. In the User Manager User view, click All.
Right-click on “All” and select New>Domain from the contextaul menu that appears.
ILLUSTRATION 1.27 User Manager
3.
The Domain Properties window appears on the screen. Fill in the fields as follows:
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
19
Setting up an External LDAP Server
ILLUSTRATION 1.28 Domain Properties window
• Name: The name of the new domain. It must be identical to the
4.
5.
domain name set in Illustration 1.11.
• Default Domain: Select this check box if you want the new domain
to be used as a default domain.
• Comment: Additional information
Bind the new domain to the external LDAP server created. Select the server from the
External LDAP Servers list box and click Add.
The server is now bound to the new domain and will appear on the list of Bound
Servers at the right. Click OK.
The new external LDAP server will appear in the user directory of the StoneGate User
Manager.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
20
Setting up an External LDAP Server
ILLUSTRATION 1.29 User Manager user directory
Creating a User
To create a new user:
1.
2.
In the User View, select the sub-tree group under which the new user is created.
Right-click with the mouse and select New>User from the contextual menu that
appears.
ILLUSTRATION 1.30 User Manager
3.
The User Properties dialog box appears on the screen.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
21
Setting up an External LDAP Server
ILLUSTRATION 1.31 User Properties
4.
5.
Fill in the following fields:
• Username: The name of the user. This is also the user’s userid.
• Comment: Descriptive text
• DN: Distinguished name; visible only after the user has been created
and cannot be edited (view only).
• Always Active: When this check box has been selected, the user never
expires.
• Activation Date: The date from which onwards the new user will be
active. If an activation date has been specified, you also have to specify
either the expiration date, expiration after delay, or inherited expiration
period.
• Inherit Expiration Period: The user’s expiration period is inherited
from group level.
• Expiration After XX days: The number of days after which the user
will become inactive counted from the activation date.
• Expiration Date: The date on which the user will become inactive.
• Member of: Table presenting a list of all groups to which the user
belongs.
• The domain to which the user belongs is displayed above the
Member of: table.
Next, open the Authentication tab and define the authentication services that are
allowed for the user.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
22
Setting up an External LDAP Server
ILLUSTRATION 1.32 User Properties Authentication tab
6.
7.
8.
9.
Select an authentication service from the directory of services on the left panel and
click Add.
The service added will appear on the list of Bound Authentication Services on the right
panel.
When you have made all the definitions, click OK.
The user that you created will appear in the User Directory. The properties that you
defined are stored in the external LDAP Server.
ILLUSTRATION 1.33 User Manager
The External LDAP Server installation has now been completed.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
23
Setting up an External LDAP Server
Rule Base Definitions
Example
The following screenshot from the Security Policy Manager is a basic example showing
how to set rules in order to make LDAP authentication active. In this example, firewallinitiated authentication has been used between the intranet and the external network
(everything outside the internal network) and client-initiated authentication has been
used from the extenal network to the intranet.
If the external LDAP server resides on a different network segment than the
management server, meaning that LDAP traffic between the management server and
the LDAP server has to cross the firewall, the security policy has to allow it. Therefore,
as in this example, the first rule is mandatory to allow the management server to retrieve
user information from the external LDAP server. If the LDAP traffic does not need to
pass the firewall, the rule is not required.
Note:
Specifying authentication parameters in a rule does not mean that a connection
matching this rule is discarded if the authentication fails. In such a case the rule base
matching continues in sequence.
ILLUSTRATION 1.34 Security Policy Manager, External LDAP Authentication Rule Base
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
24
Setting up an External LDAP Server
Verifying that Authentication Works Correctly
To verify that client-initiated authentication works correctly:
If you do not have an authentication client installed (StoneGate VPN Client), you have
to use client-initiated authentication in your rule base (please see the rule base above).
1.
Double-click in the Authentication cell of the related rule. The Authentication
Parameters dialog box opens. Uncheck the Firewall-Initiated Authentication box, as
shown in Illustration 1.35.
ILLUSTRATION 1.35 Authentication Parameters
2.
Make a Telnet connection on the remote host to the Stonegate firewall CVI address
using StoneGate authentication port number 2543.
ILLUSTRATION 1.36 Creating a telnet connection
3.
Enter the address in the following format:
username@domainname (ENTER)
password
In this example we have used client@stonesoft, password
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
25
Setting up an External LDAP Server
ILLUSTRATION 1.37 Access granted
4.
After authentication is completed, a connection from the remote host is allowed. In
this example, a Chargen session to a host in the Intranet is established.
ILLUSTRATION 1.38 Chargen session allowed
To verify that firewall-initiated authentication works correctly:
You have to have the StoneGate VPN Client installed and running.
1.
Double-click in the Authentication cell of the related rule. The Authentication
Parameters dialog box opens. Select the Firewall-Initiated Authentication check box, as
depicted in Illustration 1.39.
ILLUSTRATION 1.39 Authentication Parameters
2.
Initiate a session to the remote host.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
26
Setting up an External LDAP Server
ILLUSTRATION 1.40 Creating a Telnet connection
3.
StoneGate VPN Client is activated and an Authentication Required prompt appears on
the screen. Fill in here the Username, Domain, and Password, and click Submit.
ILLUSTRATION 1.41 Authentication Required prompt
4.
An Access granted message appears on the screen.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
27
Setting up an External LDAP Server
ILLUSTRATION 1.42 Authentication Finished
5.
Once authentication is completed, a connection from the intranet host is allowed. In
this example, a Chargen session to a remote host is established.
ILLUSTRATION 1.43 Chargen allowed
External LDAP Server setup has now been completed.
HWTO1SG1.6 - 5/3/02
HOW-TO GUIDELINES
28