Configure LDAP authentication on Conductor and Airwall Edge Services

You can use Active Directory and LDAP authentication with the Conductor to streamline user account management. When LDAP is configured, users can choose to log in with an LDAP account on the Conductor login page.

There are currently three different ways to authenticate with Conductor.

  • With a Conductor account. These are local accounts that log directly into the device
  • With LDAP authentication. This allows you to authenticate with any LDAP server, including Microsoft Active Directory services.
  • With a third-party authentication provider that supports OpenID Connect. See Integrate Third-party Authentication with OpenID Connect.
To set up a LDAP authentication, you need to already have an LDAP server accessible to the Conductor.
Note: These instructions use Microsoft Active Directory, but other LDAP services also work.

There are four different roles in the Conductor:

  • System Administrator – These users have full access to the Conductor and can adjust any settings. Note that to edit LDAP settings, you must be logged in locally to the Conductor, not through LDAP.
  • Read-only System Administrator – These users have read access to the Conductor, but cannot make changes.
  • Network Administrator – These users have access to and can adjust any overlay network they are a manager of. They do not have access to Conductor Settings.
  • Remote Access User – These users can only see their own information, and can log in with their credentials if authentication is required for their Airwall Agent or Server.

For more detailed role information, see Understand People Roles and Permissions.

Step 1: Set up and configure your LDAP server

LDAP is not enabled in Active Directory by default, so you will have to turn it on. Once you have LDAP working and running, you can start.

Create a dedicated account with the necessary permissions to authenticate. In Active Directory, you could create a service account under the root "Users" OU, and make it a Domain Admin.

Step 2: Enter and verify your local Conductor admin account credentials, and select Authentication provider

  1. Log into Conductor locally (not through LDAP) as a System Administrator. (Only local administrators have access to authentication provider settings.)
  2. Open Settings, and next to Authentication, select Add Provider.
  3. Select LDAP from the list of providers.

Step 3: Enter your LDAP settings

You will need to know the following values:

  • Host (Hostname or IP address)
  • Port (636 is the default)
  • If you are using a dedicated LDAP service account, the fully-distinguished path for the user account, and the password
Under LDAP host settings, enter the information for your LDAP host, and select Next. For more details on these settings, see LDAP host settings.

Note: TLS LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.

Step 4: Configure Search Settings

This page can mostly be left as-is, unless you have special settings you wish to set. You can search for user accounts here to ensure that the Conductor can search the directory. Select Next. For more details on these settings, see LDAP search settings.

You can test the search by entering a search term and selecting Test LDAP search.

Step 5: Configure Group Settings

The Conductor assigns LDAP users to one of the four account types above by making them a member of a security group.

If you do not have appropriate groups already, create these groups in LDAP to link to Conductor roles (you can use different names – using cond_ makes it easier to see which roles are for the Conductor). By default, these groups place the users into the following roles:
  • cond_admin – System Administrator
  • cond_readonly – Read-only System Administrator
  • cond_network – Network Administrator
  • cond_remote – Remote Access User

Since users cannot have more than one role at a time, if they are members of multiple groups, they'll be assigned the role with the most permissions.

Remember to test the settings to ensure that Conductor can see all of the groups you reference on your LDAP server.

  1. For LDAP group settings, enter the groups for the roles you want LDAP users to have, and Group search attributes, and select Next. For more details on these settings, see LDAP group settings.

    You can also add other security groups to the configuration, separated by commas.

    Note: You can set up these groups on your LDAP server after setting up LDAP on the Conductor, but Test group settings will fail.
  2. For Group filters, enter filters to specify which LDAP groups the Conductor sees. For example, if you've created the cond_ groups above, you may want to set the filter to Starts with with a value of cond.
    LDAP group filter example: Starts with "cond"
  3. Select Finish
    You may lose connection briefly as the new settings are applied.

Step 6: Configure user onboarding

Configure user onboarding for the people groups created above to give users access to overlay networks through Airwall Agents and Servers. Setting the groups up beforehand simplifies user onboarding.
  1. In the Conductor, create People groups that match the LDAP groups you specified above (for example, cond-admin)
  2. Specify user onboarding options as you create the groups. For details, see Set up a People Group.
As users log in through LDAP, they are added to these People groups and given an activation code that activates the permissions and other options you specified for the People groups.

Step 7: Set up Conductor management access

You can also set up access for your Conductor system and network admins individually.

  1. Add administrators to Overlays – Add administrators individually as members of Overlay networks to give them access to the resources they need. You can add them from their People page, or from an Overlay page:
    • From the person's People page, next to Overlay networks, select Edit. Add the person as a member or manager of Overlays.

      People page showing you can add them to People groups or Overlay networks

    • From the Overlays page, open the overlay, and under People, select Update. Add the administrators as members or managers of the overlay.

      Update People for an Overlay

  2. Add administrators to People groups – Similarly, you can add administrators to People groups, from their People page or add several administrators from the People group:
    • From a person's People page – Next to People groups, select Edit and select the People groups with the permissions they need.
    • From a People group – Open the People group, and on the People tab, select the people to add.

Step 8: Verify by logging in to the Conductor

Verify that LDAP is set up by logging in and checking permissions.

  1. Log out from your local administrator account.
  2. Next to Sign in using, select LDAP, and log into the Conductor with an LDAP account.

  3. Check that permissions are set correctly for that user.

See also: Configure user authentication for Airwall Agents and Airwall Servers.