This topic describes how to configure an LDAP authentication server on Forefront Unified Access Gateway (UAG).
To configure an LDAP authentication server
-
In the Forefront UAG Management console, on the Admin menu, click Authentication and Authorization Servers.
-
On the Authentication and Authorization Servers dialog box, click Add.
-
In the Server type list, click Netscape LDAP Server, and on the Add Authentication Server dialog box, configure the server settings.
-
In Server name, enter the name of the server or repository. This name is used when you select the server or repository during the configuration of Forefront UAG. It is also displayed to end-users when they are prompted to select a server during authentication.
-
In the Connection settings area, click Define, and then on the Servers dialog box, enter the Primary server and Secondary server settings:
- IP address/host—IP address or host
name of the Netscape LDAP server.
If you select to use an HTTPS port by selecting the Connect to the server using SSL/TLS check box, you must define the domain controller by using the FQDN that is defined in the LDAP server certificate. The Active Directory FQDN of the domain controller appears in the server certificate in either the Common Name (CN) in the Subject field or the DNS entry in the Subject Alternative Name extension.
For details, see How to enable LDAP over SSL with a third-party certification authority (http://go.microsoft.com/fwlink/?LinkId=153598).
- Port—Port number of the Netscape LDAP
server.
If the port is an HTTPS port, select the Connect to the domain controller using SSL/TLS check box.
Tip: If the authentication server uses a secure port, Forefront UAG uses a secure connection, even if you do not configure a secure port.
- IP address/host—IP address or host
name of the Netscape LDAP server.
-
In the Search settings area, select how to search for the groups and users that are used for authentication and authorization, as follows:
- Next to the Base DN list, click Browse
(...), and on the Search Root (Base DN) dialog box,
select the search root under which to search for groups and users.
You can select the search root in two ways:
- From the drop-down list, select one of the search roots.
- In Base DN, enter a custom value for the search
root.
- From the drop-down list, select one of the search roots.
- Level of nested groups—Defines whether
to search for the user in additional groups to which the user
belongs, and the number of nested groups in which to search:
- Using the default value, which is 0, the
search includes only the groups to which the user belongs directly.
For example, if the user John is a member of group QA, the search
includes the group QA, but not any of the groups to which QA
belongs.
- If you enter a value other than 0 in this
field, it defines the number of nested groups included in the
search. In the above example, if you enter 1, and QA is a member of
the R&D group, the search includes both the QA group and the
R&D group.
- If you leave this field empty, the number of
nested groups is unlimited. The search includes all the groups to
which the user belongs, both directly and indirectly.
- Using the default value, which is 0, the
search includes only the groups to which the user belongs directly.
For example, if the user John is a member of group QA, the search
includes the group QA, but not any of the groups to which QA
belongs.
- Next to the Base DN list, click Browse
(...), and on the Search Root (Base DN) dialog box,
select the search root under which to search for groups and users.
You can select the search root in two ways:
-
In the Server access area, enter credentials to access the Netscape LDAP server and perform Server Access functions, such as retrieving the users/groups lists, retrieving user information, and changing passwords, as follows:
- User—Enter a user name that is used to
access the Netscape LDAP server. The user you assign here must have
read permissions (or higher) on this server.
- Password—Enter the password of the
user you define in User.
- User—Enter a user name that is used to
access the Netscape LDAP server. The user you assign here must have
read permissions (or higher) on this server.
-
On the Add Authentication Server dialog box, click OK, and then on the Authentication and Authorization Servers dialog box, click Close.