NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual
6-20 Group and User Access Policies
v1.0, August 2006
LDAP Authentication Domains for Group Policies and BookmarksLDAP (Lightweight Directory Access Protocol) is a standard for querying and updating a
directory. Since LDAP supports a multilevel hierarchy (for example, groups or organizational
units), the SSL VPN Concentrator can query this information and provide specific group policies
or bookmarks based on LDAP attributes. By configuring LDAP attributes, the SSL VPN
Concentrator administrator can leverage the groups that have already been configured in an LDAP
or Active Directory database, rather than manually recreating the same groups in the SSL VPN
Concentrator.
Once an LDAP authentication domain is created, a default LDAP group will be created with the
same name as the LDAP domain name. Although additional groups may be added or deleted from
this domain, the default LDAP group may not be deleted.
For an LDAP group, you may define LDAP attributes. For example, you can specify that users in
an LDAP group must be members of a certain group or organizational unit defined on the LDAP
server. Or you can specify a unique LDAP distinguished name.
To add an LDAP authentication domain, see “Authentication Domains” in Chapter 7.
Sample LDAP Attributes
You may enter up to 4 LDAP attributes per group. The following are some example LDAP
attributes of Active Directory LDAP users:
name=”Administrator”
memberOf=”CN=Terminal Server Computers,CN=Users,DC=netgearnetworks,
DC=net”objectClass=”user”
msNPAllowDialin=”FALSE”
Note: The Microsoft Active Directory database uses an LDAP organization schema. The
Active Directory database may be queried using Kerberos authentication (the
standard authentication type; this is labeled “Active Directory” domain
authentication in the SSL VPN Concentrator), NTLM authentication (labeled “NT
Domain” authentication in the SSL VPN Concentrator), or using LDAP database
queries. So, an LDAP domain configured in the SSL VPN Concentrator can
authenticate to an Active Directory server.