Setting up Multiple LDAP Domains in SonicWall 6.5 Firmware without Partitioning

A technical guide on setting up multiple LDAP domains in SonicWall OS 6.5, written by our Senior Network Security Engineer. Please note this currently is not functioning for customers with the same user in multiple domains from SonicOS 6.5.0.1-14. This bug has been reported and is being addressed for future releases.

 

SonicWall 6.5 firmware now allows multiple LDAP servers for authentication, to set this up follow the guide below.

SonicWall OS 6.5 onwards is all available on all Gen6 Appliances from the SOHO wireless and up (not including the non-wireless SOHO as this runs 5.9 firmware).

 

Prerequisites:

  • For this to work you will need to make sure each Domain is resolvable via the SonicWall DNS settings, e.g. in this example the SonicWall’s DNS settings under Network\DNS are set to each of the Servers’ IP addresses. The domain Netthreat.local resolves to 172.16.32.250 and the domain Test.local resolves to 172.16.32.60, they also each have A records in the forward look up zones to each domain for failover. If the name resolves to multiple IP addresses then use the name for the LDAP connection rather than IP address i.e. Test.local (not the server name) instead of 172.16.32.60.

 

  • The Domains in the example are not in a Trust or the same forest.

 

1. Add Domains

Add the required Domains to use for LDAP Authentication under Users\Settings\Configure LDAP

 


 

2. Login/Bind settings

For the Login/Bind settings you can use any of the three methods below.

 

N.B. The Bind Usernames and Passwords don’t have to be the same (this is only needed for Domains in a trust).

 

Method 1: Give Bind Distinguished Name (Domain\User). This is ideal if you don’t know the exact location in AD of the Administrator account.

 

Login/Bind Settings Method 1

 

Method 2:  Give Bind Distinguished Name (Using the distinguished Name).

To find these details if they are not visible in the Users Account in AD then go to View and select Advanced Features then in the Users Details you will now see the Attribute Editor, you can select the distinguishedName choose the View Tab and you can copy the details.

 

Login/Bind Settings Method 2

 

Method 3: Give Login name/location in tree (this must be where the User Account that you are using to bind is located in AD)

 

Login/Bind Settings Method 3

 


 

3. Schema Settings

For the Schema Settings, both Domains need to use the same Schema settings.  If you have some usernames which are identical in both Domains then make sure that the Users in each Domain’s Active Directory are set under userPrincipalName to the User@domain type as below:

Schema Settings

 


 

4. Directory Settings

On the Directory settings select auto-configure, Replace existing trees and then Start.

 

Directory Settings 1

 

This should pull in your Trees with that include Users as below.  You can manually add others if needed.

If the Users Trees don’t pull in then go to the Test tab and check the Connectivity / bind test.  If this succeeds then try the Directory Auto-configure again, otherwise check the Username and Password in the Bind Settings.

Also make sure you have un-ticked the Case Sensitive Usernames option in the User/Settings Menu.

Tip: If you have trouble with users being authenticated in a group add the distinguished name like in the example below for the SSL VPN Users Group.

 

 

Directory Settings 2

 


 

 

5. Add Secondary Domains

Repeat steps 2 to 4 to add the Secondary Domain. 

You should now see both Domains connected as below. 

You can add more Domains if needed by adding them as Secondary Domains.

 

Adding Secondary Domains

 

6. Referrals

It is important that under the Referrals Menu, you only select Allow Referrals as below otherwise you will have issues with password caching.

 

Referrals

 


 

 

7. Importing the User Groups

In both Domains for this example we have created the same group name called SSL VPN Users.  With 6.5 firmware you can now import the Groups from both Domains simultaneously.

Go to Users/Local Groups and select Import from LDAP

 

Importing User Groups 1

 

 

N.B. I’ve selected Include the Domains. Normally as you are using the same user group name from both Domains you could select No Domains and it would authenticate any user in the SSL VPN Users group in any of the Domains, see below example in section 8.

Once you have selected the Groups then Save.

 

 

Importing User Groups 2

 

 

 

For this example, we are going to add the groups in to the SSLVPN Services group and test with NetExtender but you could add any groups to use with other services like the Global VPN Clients or use with SSO, Content Filtering etc.

 


 

 

8. Adding the User Groups

 

Select the SSLVPN Services Group and edit.  Then add the SSL VPN Users groups from both Domains.

Make sure in the VPN Access you have selected the desired Networks to access.

 

 Adding User Groups 1

 

If you want to just use the one user group instead of two then import one of the groups from LDAP like below and select No domains.

 

Adding User Groups 2

Adding User Groups 3

 

As you can see this will match both Domains. You can now add this to the SSLVPN Services or use for CFS etc.

 

Adding User Groups 4

 

 


 

 

9. Testing using NetExtender

 

If you are logging on with a username that is in both domains you need to enter the username followed by @domain.local or whatever your Domain is, see examples below.

We’ve used different passwords for each user from both Domains, just to check there isn’t any password caching occurring.

 

Testing using NetExtender 1 Testing using NetExtender 2
 Testing using NetExtender 3  Testing using NetExtender 4

 

If you are logging on with a username unique to that domain you can login just using the username and the Domain with that user will authenticate them.  See examples below.

 

 

Testing using NetExtender 5

Testing using NetExtender 6

Testing using NetExtender 7

   

 

 

 

 

 

 

Copyright 2018 NetThreat Ltd

Attachment: Multiple_LDAP_Domains_Setup_in_SonicWall_OS_6.5.pdf