SSL VPN
Reply
Contributor
hutchingsp
Posts: 88
Registered: ‎05-03-2009
0

Authentication - AD/NT vs. LDAP?

I'm evaluating an SA appliance and we want to do domain authentication (by "domain" I simply mean we use Active Directory).

 

I notice there are options to do "proper" AD/NT authentication where the SA joins the domain, which is what I have it setup with right now, and I notice you can do LDAP authentication where you'd point it to your domain controllers, set your base DN's and away you go presumably.

 

My question is, why is one "better" than the other?

 

For example I'd really like to be able to limit the base DN so that only users in OU's under a certain parent OU could login, and I don't seem able to do this using AD authentication whilst I can do it using LDAP authentication.

 

I guess there are pros and cons to both, I'm unsure what they are in the real-world though?

Distinguished Expert
muttbarker
Posts: 2,371
Registered: ‎01-29-2008
0

Re: Authentication - AD/NT vs. LDAP?

AD authentication and authorization is very limited. Especially on the authorization component where you limited to groups. Using LDAP gives you a LOT more flexibility. You can map and use pretty much any user attribute you want for the role assignment piece.

 

I am sure there is some reason for using AD, but I can't think of it :smileyhappy:

 

We are a reseller and we pretty much always use LDAP on our installs.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
hutchingsp
Posts: 88
Registered: ‎05-03-2009
0

Re: Authentication - AD/NT vs. LDAP?

[ Edited ]

Thanks for the reply.  I'm trying to set this up (to be fair I've not spoken to the resller yet) and I'm nearly there but I'm missing a trick.

 

We have a domain, "DC=domain,DC=co,DC=uk" so far as everything else that uses LDAP is concerned.

 

Within that we have OU's such as:

 

"OU=Users,DC=domain,DC=co,DC=uk"

 

and

 

"OU=Groups,DC=domain,DC=co,DC=uk"

 

which also contain OU's so our actually staff may be in

 

"OU=Staff,OU=Users,DC=domain,DC=co,DC=uk"

 

and our groups in

 

"OU=Global Groups,OU=Groups,DC=domain,DC=co,DC=uk".

 

I seem to have managed to get authentication working, but as an example I can't browse/search groups when doing role mapping - I clearly have it setup wrong but I'm not quite sure from the documentation what is "right"?

Message Edited by hutchingsp on 05-13-2009 09:51 AM
Distinguished Expert
muttbarker
Posts: 2,371
Registered: ‎01-29-2008

Re: Authentication - AD/NT vs. LDAP?

Send me your email in a private message and I can send you some screen shots of a simple LDAP setup that might help.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
hutchingsp
Posts: 88
Registered: ‎05-03-2009
0

Re: Authentication - AD/NT vs. LDAP?

Thanks Kevin - just in case anyone else finds themselves in a similar predicament, it was a missing "member" in the "Member Attribute" in the groups search fields.
Contributor
DanSmart
Posts: 108
Registered: ‎01-21-2008
0

Re: Authentication - AD/NT vs. LDAP?

When running LDAP, you have to add AD groups to the "Groups Catalog"  In Role Mapping, Groups, Add a group.  In the catalog screen, you need to do a search, and find the group you want, then add it to the Catalog.  If you set your nesting parameter in the LDAP authentication, it will expand any nested groups automatically.
-=Dan=-
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.