Lightweight Directory Access Protocol (LDAP) is an Internet protocol for querying and modifying directory services. The LDAP authentication server keeps information about users, including authentication information such as user properties and authentication scripts, in special-purpose databases termed as Directories. When a connection request arrives at the Forefront Unified Access Gateway (UAG), the user name and password are authenticated against the LDAP Directory.
Forefront UAG implements the following LDAP authentication schemes:
- Netscape Directory Server (V. 4.1)
- Notes Directory Server
- Novell Directory Server
- Active Directory Lightweight Directory
Services (AD LDS) for Windows Server 2008, and Active
Directory directory service for Windows Server 2003 or Windows
2000 Server.
The supported LDAP authentication schemes are capable of the following:
- Operating with two LDAP authentication
servers—If the primary LDAP server fails, Forefront UAG
accesses the alternate LDAP server.
- Supporting a secure port—If the
authentication server uses a secure port, Forefront UAG uses a
secure connection, even if this was not configured when the scheme
was defined.
- In the Novell Directory Server, unique users
do not need to enter their context when entering the user name. A
unique user appears only in one context in the tree, or if a "Base"
is defined, the user appears only in one context under the
Base.
LDAP authentication flow
The following figure illustrates the authentication process for users when the LDAP authentication scheme is implemented with one authentication server.
 Note: |
|---|
| The flow allows for three login attempts, after which login failure is final. The number of login attempts users are allowed is configurable. |
LDAP Authentication Flow
