Configure an LDAP server for user authentication

LDAP authentication requires creating a login account for the appliance on your LDAP server. The appliance uses this account to read and import user information from the LDAP server. The account needs read-only access to the Search Base DN field on the LDAP server. The account does not require write access, because the appliance does not write to the LDAP server.

For information on adding user accounts to the appliance, see Add or edit local administrator accounts.

NOTE: When LDAP is enabled, all local accounts become inactive except for the administrator account.

When logging in, the appliance automatically queries the listed external servers. The timeout for a server is approximately 10 seconds. To decrease login delays, Quest KACE recommends deleting the sample LDAP server.

1.	On the left navigation pane, click Settings, then click User Authentication to display the Authentication Settings.

2.	Select External LDAP Server Authentication and click Add New Server.

All servers must have a valid IP address or host name; otherwise, the appliance times out, resulting in login delays when using LDAP authentication.

3.	Provide the following information to add a server:

Field	Description
Server Friendly Name	The name to identify the server.
Server Host Name (or IP)	The IP address or the host name of the LDAP server. If the IP address is not valid, the appliance waits to timeout, resulting in login delays during LDAP authentication.   NOTE: To connect through SSL, use an IP address or host name. For example: ldaps://hostname. If you have a non-standard SSL certificate installed on your LDAP server, such as an internally-signed certificate or a chain certificate that is not from a major certificate provider such as VeriSign, contact Quest KACE Technical Support at https://support.quest.com/contact-support for assistance.
LDAP Port Number	The LDAP port number. The default is 636 (secure LDAP). The non-secure LDAP port 389 can also be used, however keep in mind that such connections can easily expose user names and passwords to malicious parties, and as such should be avoided.
Search Base DN	The area of the LDAP tree that the appliance should start to search for users. For example to search for the IT group, specify OU=it,DC=company,DC=com.
Search Filter	The search filter, for example:LDAP_attribute=KBOX_USER, where LDAP_attribute is the name of the attribute containing a unique user ID and KBOX_USER is a variable that the appliance replaces at runtime with the login ID that you enter. For example when using Active Directory, enter samaccountname=KBOX_USER. For most other LDAP servers, enter UID=KBOX_USER.
LDAP Login	The credentials of the account that the appliance uses to log in to the LDAP server to read accounts. For example: LDAP Login:CN=service_account,CN=Users, DC=company,DC=com. If no username is provided, an anonymous bind is attempted.
LDAP Password (if required)	The password of the account that the appliance uses to log in to the LDAP server.
User Permissions	The user permissions. • Admin: Read/write access to the Administrator Console. • ReadOnly Admin: View all pages; no change access.
Test User Password	The LDAP username and password to test on the LDAP server. See Test the LDAP server.

Record the Search Base DN and the Search Filter criteria because you use this same information to import user data and to schedule user imports.

4.	Recommended: Click the Remove icon next to any external servers that are not configured to actual servers in your environment.

5.	Click Save.

The next time users log in, they are authenticated against the LDAP servers in the order listed.

NOTE: The administrator account always authenticates against the internal database, even when an account with the same name exists in an external LDAP.

Test authentication on an external LDAP. See Test the LDAP server.