NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

LDAP Attribute Rules

If multiple attributes are defined for a group, ALL attributes must be met by LDAP users.

If no attributes are defined, then any user authorized by the LDAP server can be a member of the group.

If multiple groups are defined and a user meets all the LDAP attributes for two groups, then the user will be considered part of the group with the most LDAP attributes defined. If the matching LDAP groups have an equal number of attributes, then the user will be considered a member of the group based on the alphabetical order of the groups.

If an LDAP user fails to meet the LDAP attributes for all LDAP groups configured on the SSL VPN Concentrator, then the user will not be able to log into the portal. So the LDAP attributes feature not only allows the administrator to create individual rules based on the LDAP group or organization, it also allows the administrator to only allow certain LDAP users to log into the portal.

Sample LDAP Users and Attributes Settings

If a user is manually added to a LDAP group, then the user setting will take precedence over LDAP attributes.

For example:

An LDAP attribute objectClass=”Person” is defined for group Group1 and an LDAP attribute memberOf=”CN=WINS Users,DC=netgearnetworks,DC=net” is defined for Group2.

If user Jane is defined by an LDAP server as a member of the Person object class, but is NOT a member of the WINS Users group, Jane will be a member of the SSL VPN Concentrator Group1.

But if the administrator manually adds the user Jane to the SSL VPN Concentrator Group2, then the LDAP attributes will be ignored and Jane will be a member of Group2.

Querying an LDAP Server

If you would like to query your LDAP or Active Directory server to find out the LDAP attributes of your users, there are several different methods. From a machine with LDAPsearch tools (for example a Linux machine with OpenLDAP installed) run the following command:

ldapsearch -h 10.0.0.5 -x -D “cn=demo,cn=users,dc=netgearnetworks,dc=net” -w demo123 -b “dc=netgearnetworks,dc=net” > /tmp/file

Group and User Access Policies

6-21

v1.0, August 2006

Page 71
Image 71
NETGEAR SSL312 manual Ldap Attribute Rules, Sample Ldap Users and Attributes Settings, Querying an Ldap Server