To enable LDAP/AD authentication
1.Select Administration in the main menu of the Control Center.
2.Select Authentication in the control menu.
3.In the opened window, select LDAP/AD authentication section.
4.Set the Use LDAP/AD authentication flag.
5.Click Save.
6.Restart Dr.Web Server to apply changes.
You can configure authentication using LDAP protocol at any LDAP server. Also you can use this mechanism to configure Dr.Web Server under Unix-like OS for authentication in Active Directory on a domain controller.
|
If an LDAP server other than MS Active Directory is used, it is recommended to configure the rules for translating user names to DN in the auth-ldap-rfc4515.conf configuration file in accordance with RFC4515 using the <user-dn-extension-enabled/>, <user-dn/>, <user-dn-expr/> parameters. If the authorized user does not have search rights on the LDAP server, then in the <bind dn/> parameter you can configure the DN and password of the LDAP server user with read rights, on whose behalf the search for the authorized user data will be performed on the LDAP server. The description of these parameters is given in the Appendices document, B3. LDAP/AD Authentication section. |
For the convenience of a user, the section provides the ability to switch between simplified or extended versions of authentication settings via LDAP/AD.
|
Settings of LDAP/AD authentication are stored in the auth-ldap-rfc4515.conf configuration file. Configuration files with typical settings are also provided: auth-ldap-rfc4515-check-group.conf, auth-ldap-rfc4515-check-group-novar.conf, auth-ldap-rfc4515-simple-login.conf. General xml attributes are described in the Appendices document, in the B3. LDAP/AD Authentication section. |
Specifics of configuration in the presence of a domain forest (root and child domains)
If you want to authenticate not only the root Active Directory domain, but also its child domains, the access group in the root domain must include users from all child domains. The type of this access group in Active Directory must be Universal.
The Global Catalog option must be enabled in NTDS Settings for the root domain (if this option is enabled, port 3268 will be listened to). In the authentication settings in the Dr.Web Server Control Center, only the root domain and the Global Catalog port number (3268 by default) should be specified. In the configuration file for this case, the host attribute value will be the following: host='example.srv:3268'.
In order to avoid entering the full name with the domain when authenticating under an account from a child domain, the <bind dn/> tag should be configured, see the description of the tag in B3. LDAP/AD Authentication.