User Management
665
SonicOS Enhanced 4.0 Administrator Guide
Step 23 In the User tree for login to server field, specify the tree in which the user specified in the
‘Settings’ tab resides. For example, in AD the ‘administrator’ account’s default tree is the same
as the user tree.
Step 24 In the Trees containing users field, specify the trees where users commonly reside in the
LDAP directory. One default value is provided that can be edited, a maximum of 64 DN values
may be provided, and the SonicWALL security appliance searches the directory until a match
is found, or the list is exhausted. If you have created other user containers within your LDAP or
AD directory, you should specify them here.
Step 25 In the Trees containing user groups specify the trees where user groups commonly reside in
the LDAP directory. A maximum of 32 DN values may be provided. These are only applicable
when there is no user group membership attribute in the schema's user object, and are not used
with AD.
The above-mentioned trees are normally given in URL format but can alternatively be specified
as distinguished names (for example, “myDom.com/Sales/Users” could alternatively be given
as the DN “ou=Users,ou=Sales,dc=myDom,dc=com”). The latter form will be necessary if the
DN does not conform to the normal formatting rules as per that example. In Active Directory the
URL corresponding to the distinguished name for a tree is displayed on the Object tab in the
properties of the container at the top of the tree.
Note AD has some built-in containers that do not conform (for example, the DN for the top level
Users container is formatted as “cn=Users,dc=…”, using ‘cn’ rather than ‘ou’) but the
SonicWALL knows about and deals with these, so they can be entered in the simpler URL
format.
Ordering is not critical, but since they are searched in the given order it is most efficient to place
the most commonly used trees first in each list. If referrals between multiple LDAP servers are
to be used, then the trees are best ordered with those on the primary server first, and the rest
in the same order that they will be referred.
Note When working with AD, to locate the location of a user in the directory for the ‘User tree for
login to server’ field, the directory can be searched manually from the Active Directory Users
and Settings control panel applet on the server, or a directory search utility such as
queryad.vbs in the Windows NT/2000/XP Resource Kit can be run from any PC in the
domain.
Step 26 The Auto-configure button causes the SonicWALL security appliance to auto-configure the
‘Trees containing users’ and ‘Trees containing user groups’ fields by scanning through the
directory/directories looking for all trees that contain user objects. The ‘User tree for login to
server’ must first be set.
Select whether to append new located trees to the current configuration, or to start from scratch
removing all currently configured trees first, and then click OK. Note that it will quite likely locate
trees that are not needed for user login and manually removing such entries is recommended.