Skip to main content
Skip table of contents

Configuring LDAP/LDAPS authentication of gateway users

The Blue Cedar Connect Gateway can authenticate users using an LDAP or LDAPS server. For a full description of available configuration attributes, see your LDAP documentation. 

To configure an LDAP server for the gateway to authenticate its users:

  • Set the auth-provider type as ldap. 
  • Set the name and URL of the ldap or server.
  • Set the search base (base-dn).
  • Set the account and password to authenticate (bind) to the LDAP directory.
BASH 
% set aaa auth-provider ldap name_of_server server-url url

You can specify other LDAP attributes, too.

ElementValue
ldap name_of_serverRequired. Text string identifying the LDAP server
server-url url

Required. URL for the LDAP server. The protocol can be either ldap or ldaps (SSL-secured LDAP). 

If the url starts with ldaps, the Gateway tries to validate the LDAP server identity certificate. This identity certificate must be signed by a trusted certificate, and the trusted certificate must be configured on the gateway. See Configuring AAA Public Key Infrastructure for information about configuring the trusted certificate.

For LDAPS, the URL must match the CN or SAN in the server identity certificate for proper verification.

server-type type

LDAP server type. Values:

  • active-directory: an Active Directory LDAP server
  • generic: any other LDAP server
backup-server search_order

Use with server-url to specify URLs for backup LDAP servers when the primary server-url is unreachable. For example:

BASH 
% set aaa auth-provider ldap servername1 server-url primary-url 
% set aaa auth-provider ldap servername1 backup-server 1 server-url backup-url
base-dn base_attributes

Required. The distinguished name (dn) used as the base for the search. This is a comma-delimited list of subject attributes. (dc == domain component).

Example: "dc=example,dc=com"

bind-dn string

Required. The distinguished name used to bind to the LDAP directory. This is typically the username/credential corresponding to the service.

Example: "cn=ldap_admin,ou=users,dc=DomainName,dc=com"

bind-password stringRequired. Password for the bind-dn account.
verify-server-cert boolean

If using LDAPS (LDAP over SSL):

  • true: verify the server certificate.
  • false: don't verify the server certificate.
referrals boolean
  • true: follow LDAP referrals to other servers (continuation references to other servers that hold part of the directory tree).
  • false: don't follow LDAP referrals to other servers. (Default.)
email-attr ldap-mail

LDAP attribute to retrieve email address for LDAP authentication.

Default: mail, which should be suitable for most deployments.

Required to use enroll-pin with LDAP authentication, otherwise optional.

upn-attrOptional. LDAP attribute to retrieve User Principal Name (UPN). Can be used to include custom LDAP attributes in certificate enrollment request templates and post-authentication policy rules.
custom-attr attribute

Add a custom named attribute to established tunnel sessions. Possible values:

  • Basic LDAP attribute (for example, "cn")
  • Blue Cedar supported LDAP attribute:
    • USERNAME
    • DEVICE_ID
    • FEDERATION_ID
    • APPLICATION_ID
    • AUTH_PROVIDER_GROUP
    • USERNAME_FROM_CERT
    • DEVICE_ID_FROM_CERT
    • FEDERATION_ID_FROM_CERT
    • AUTH_GROUP
    • EMAIL
    • UPN
    • LOCALE
    • INJECTABLE_VERSION
    • ANDROID_SECURITY_PATCH_VERSION
    • APP_VERSION
    • OS_VERSION
    • OS_TYPE

After naming the attribute, specify whether it's basic or substitution, and then specify the value.

BASH 
% set aaa auth-provider ldap myldap custom-attr AUTH_PROVIDER_GROUP basic value customGroup
  • basic value string
  • substitution value string: An expression that substitutes any LDAP attributes preceded by $. For example: "MySubstitution=/home/$cn"
debug-log-enable

When enabled, save debug logs to a file.

  • true: log ldap debug info to the file ldap-auth.log
  • false: don't save ldap debug info

To show the log, use the file show command in operational mode:

BASH 
> file show ldap-auth.log

Setting a custom local group for LDAP

This example shows how to:

  • Extract the "customGroup" LDAP attribute as the local group to use for authorization.
  • Allow users with a customGroup of "admins" administrative access to the gateway.
  • Allow users with a customGroup of "engineers" to connect with jailbroken devices.
  • Disallow anyone not in either group from having administrative access or connecting with a jailbroken device.
BASH 
% set aaa auth-provider ldap myldap custom-attr AUTH_PROVIDER_GROUP basic value customGroup
% set aaa auth-provider local group admins administrator true jailbreak-permitted false
% set aaa auth-provider local group engineers administrator false jailbreak-permitted true
% set aaa auth-provider local group default administrator false jailbreak-permitted false
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close