Configuring eDirectory Access

On this page on a joined Web Appliance, the Off | On button is disabled.
Important
Network Configuration: All of the eDirectory servers that you want to work with must be reachable from your Web Appliance or Management Appliance. If they are not, you must configure static routes to them in the Advanced Settings of the Configuration > Network > Network Interface page.
Important
Firewall Configuration: If you have a firewall between the appliance and your eDirectory server, you need to ensure that port 636 (or another LDAPS port configured on the eDirectory server) is open for both TCP and UDP in order to perform eDirectory identification.
  1. Beside eDirectory integration, near the top of the page, click On.

    The four Configure eDirectory text boxes are enabled.

    Your appliance cannot have the same hostname as the eDirectory LDAP server.


    On a joined Web Appliance, the On/Off button is not functional. It only shows the status as set on the Management Appliance.

  2. Fill in the Configure eDirectory information required to access the server:

    On a joined Web Appliance, you must select the Configure eDirectory settings locally to make these text boxes editable. If you do not, your joined Web Appliance LDAP information is synchronized from your Management Appliance.

    • LDAP server and port: Enter the domain name or IP address, and the port, of your organization's eDirectory server.
    • Authentication DN:

      Enter the username to access the eDirectory server. For example:

      cn=admin,o=company

      To enable eDirectory integration, you must use a pre-existing account on the eDirectory server with permissions to query the eDirectory database. Be sure to specify an eDirectory user who is a trustee of the root of the tree, with explicitly set read permissions for the entire tree.

    • Password: Enter the password of the user specified in the Authentication DN: field.
    • LDAP base DN: Optionally, enter the base DN of the LDAP tree that you want to use.
  3. [Standalone and Joined Appliances only] You can optionally configure replicas. Under the Configure Replicas (optional) section:
    1. In the LDAP server text box, enter the IP address and port.
    2. In the Replica text box, enter the Replica designation.
      Note
      Misconfiguring replicas can result in poor performance. For recommendations, see Configuring Connections to eDirectory Replicas.
  4. Click Verify Settings.

    The Detect Settings dialog box is displayed, showing the results of the connection attempt. Successful operations are indicated with a green check mark icon, warnings are indicated with a yellow exclamation mark, and failed operations are indicated with a red "x" icon.

    If there are failed operations in the Detect Settings process, a troubleshooting message is displayed below the list of verification checks. If you encounter failed operations, read the troubleshooting message, then Close the Detect Settings dialog box, correct the Configure eDirectory settings, and click Verify Settings again.

    The Verify Settings button is available on a joined Web Appliance if you have selected the Configure eDirectory settings locally option.

  5. Click Apply.
  6. Optionally, click Synchronize Now to have the appliance immediately synchronize user and group information with the configured eDirectory server. This can only be done after you have configured and applied the settings specified in the previous steps.
    Note
    The Synchronize Now button does not exist on a joined Web Appliance.
  7. To set which IP addresses and CIDR ranges are available for unauthenticated browsing:
    1. In the eDirectory Options section, select Do not associate eDirectory usernames with the following IP addresses.
    2. Click Add.

      The Exempt Authentication dialog box is displayed.

    3. Enter an IP address or CIDR IP address range into the text box and select which address type it is (IP Address or IP Range) from the adjacent drop-down list, and then click Add.
      Important
      The Web Appliance will interpret any dotted quad followed by a slash and a number less than 33 as a CIDR range. This creates the possibility that a URL entered as an IP address, followed by a numbered directory from 0 to 32, would be improperly treated as a CIDR range. To avoid this possibility, always enter URLs to numbered directories using fully qualified domain names rather than IP addresses.
      The IP address or range of IP addresses is added to the list below.
      Note
      If you exempt users by their IP address, any reports or searches that normally display a User name field will show their IP address instead. Other system functions will continue to operate as expected.
    4. [Optional] To delete a listed IP address or IP range, select the check box beside the entry that you want to remove, and click Delete.

      The IP address or range of IP addresses is removed from the list.

    5. Click Save.