Supported Platforms
Related Documentation
LDAP Functionality in Integrated User Firewall
This topic includes the following sections:
- Role of LDAP in Integrated User Firewall
- LDAP Server Configuration and Base Distinguished Name
- LDAP’s Authentication Method
- LDAP Server’s Username, Password, and Server Address
- Caching and Calculation of User-to-Group Mappings
- Updating Group Information in the Authentication Entry Table
- LDAP Server Status and Statistics
- Active Directory Autodiscovery
Role of LDAP in Integrated User Firewall
In order to get the user and group information necessary to implement the Integrated User Firewall feature, the SRX Series device uses the Lightweight Directory Access Protocol (LDAP). The SRX Series acts as an LDAP client communicating with an LDAP server. In a common implementation scenario of the integrated user firewall feature, the domain controller acts as the LDAP server. The LDAP module in the SRX Series, by default, queries the Active Directory in the domain controller.
The SRX Series downloads user and group lists from the LDAP server. The device also queries the LDAP server for user and group updates. The SRX Series downloads a first-level, user-to-group mapping relationship and then calculates a full user-to-group mapping.
The use of “LDAP” in this section applies specifically to LDAP functionality within the integrated user firewall feature.
LDAP Server Configuration and Base Distinguished Name
Most of the LDAP server configuration is optional, leveraging the common implementation scenario where the domain controller acts as the LDAP server. The SRX Series periodically (every two minutes) queries the LDAP server to get the user and group information changed since the last query.
The only required LDAP server configuration is the LDAP base distinguished name (DN), which is the top level of the LDAP directory tree. Microsoft Active Directory follows the convention of deriving the base DN from a company’s DNS domain components. An example of a base DN is dc=juniper, dc=net.
LDAP’s Authentication Method
By default, the LDAP authentication method uses simple authentication. The client’s username and password are sent to the LDAP server in plaintext. Keep in mind that the password is clear and can be read from the network.
To avoid exposing the password, you can use simple authentication within an encrypted channel [namely Secure Sockets layer (SSL)], as long as the LDAP server supports LDAP over SSL (LDAPS). After enabling SSL, the data sent from the LDAP server to the SRX Series is encrypted. To enable SSL, see the user-group-mapping statement.
LDAP Server’s Username, Password, and Server Address
The LDAP server’s username, password, IP address, and port are all optional, but they can be configured.
- If the username and password are not configured, the system uses the configured domain controller’s username and password.
- If the LDAP server’s IP address is not configured, the system uses the address of one of the configured Active Directory domain controllers.
- If the port is not configured, the system uses port 389 for plaintext or port 636 for encrypted text.
Caching and Calculation of User-to-Group Mappings
The SRX Series device caches user-to-group mappings in its local database when the show services user-identification active-directory-access user-group-mapping operation is performed. This command displays the users who belong to a group or the groups to which a user belongs.
Three events cause a user-to-group mapping to be removed from the cache:
- A source-identity is removed from a referenced firewall policy (because only source-identities referenced in a policy are stored in the authentication table).
- The LDAP configuration is deleted from the customer’s configuration, so all cached Active Directory user-to-group mappings for the domain are removed.
- The user-to-group mapping is deleted from the LDAP server.
The SRX periodically queries to get user and group information from the LDAP server in real time. The user list and the group list show only cached users or groups, not all users or groups in the LDAP server. From this information, the SRX Series calculates one-level mapping relationships. The user list, group list, and mapping are cached in the local database.
Updating Group Information in the Authentication Entry Table
The SRX Series device queries to get the changed users and groups based on the prior query results from the LDAP server. The SRX Series updates the local database and triggers an authentication entry update. Only user/group mappings that are already cached are updated. Other users and groups that are not in the database do not have their mapping relationships cached.
LDAP Server Status and Statistics
You can verify the LDAP connection status by issuing the show services user-identification active-directory-access user-group-mapping status command.
You can see counts of queries made to the LDAP server by issuing the show services user-identification active-directory-access statistics user-group-mapping command.
Active Directory Autodiscovery
The integrated user firewall feature provides the IP address and Active Directory name of the domain. The auto-discovery feature can use the Active Directory’s global catalog feature and then query DNS for a list of global catalogs. The global catalogs in the list are typically provided in a weighted order based on criteria such as network location, system-set weights based on global catalog server size, and so on. Once the customer has the list of Active Directories, the customer can configure it for both event log reading and LDAP search.
