LDAP Authentication for SonicWALL VPN Setup

authenticationldapsonicwallvpn

I'm trying to configure my SonicWALL to allow LDAP authentication for VPN users. I've done this before with another device, and I remember it being pretty simple. But I can't get it to work this time for the life of me.

When I enable "LDAP + Local Users" mode, enter the LDAP server information and AD group names, I constantly get either "LDAP authentication failed" or "Credentials not valid at LDAP server" errors. I've tried all different permutations of settings that make sense to me, with the same results. SonicWALL support is absolutely no help so far. I've followed their manual's instructions to a T, with no solution.

Has anyone here had this same situation? I feel like I'm missing a setting somewhere…

Best Answer

It may be small comfort, but it’s working for us. The server is Windows Server 2003 R2 and the SonicWALL has SonicOS Enhanced 4.2.0.1-12e.

Here are the settings:

Authentication method for login: LDAP + Local Users
LDAP Server tab:
- Chose “Give bind distinguished name”
- Bind distinguished name: sonicwall_ldap@OURDOMAIN.local (a user we created to allow the SonicWALL to read LDAP)
- Use TLS (SSL) checked
  - Send LDAP ‘Start TLS’ request: checked
  - Require valid certificate from server: unchecked (we use a self-signed cert)
  - Local certificate for TLS: None
Did not configure RADIUS as a fallback.

Now, before your logins will work you have to go to the Directory tab and click “Auto-configure.” If auto-configure fails, make sure the SonicWALL’s LDAP username and password (e.g. sonicwall_ldap@OURDOMAIN.local) is correct.

After doing auto-configure make sure “Trees containing user groups:” includes the section of your AD tree that has the users who will be logging in. Once you do that, on the “Test” tab you should be able to test with:

User: username (Note:**AD domain name should **not be included in the username because the SonicWALL will search the user contexts that were specified on the Directory tab).
Password: (their password)

Related Solutions

Ldap – How to move SharePoint authentication from AD to LDAP without breaking user profiles

In general, you are going to need the stsadm migrateuser command.

I think for the mysites, you are also going to need to update the owner of the site using the stsadm siteowner command.

The mysites could get weird depending on how you have them setup. If the sites are just /personal/username, (and the username is the same from AD to LDAP) then you should be OK. If they are /personal/domain_username (or the username changes from AD to LDAP) then you may also need to actually change the url of each users mysite. This would get messy because there is no built in command to do it - the only option would be to backup each site and restore to a new site collection with the new username.

PS - I've never done this, I'm just theorizing based on available commands in SharePoint...

Ubuntu – LDAP System Authentication in Ubuntu

Can you ping/access the ldap server from the client ? What about the other way around ?

You'll also want to make sure that ports 389 (ldap) or 636 (ldapSSL) are opened. A tool like nmap (apt-get install nmap):

nmap <IP address> -p389 or
nmap <IP address> -p636

Will usually let you know if your ports are closed, filtered or opened.

Best Answer

Related Solutions

Ldap – How to move SharePoint authentication from AD to LDAP without breaking user profiles

Ubuntu – LDAP System Authentication in Ubuntu

Related Topic