End-of-Life (EoL)
Select Device > Server Profiles > LDAP or Panorama > Server Profiles > LDAP to configure settings for the LDAP servers that authentication profiles reference (see Device > Authentication Profile).
LDAP Server Setting Description
Profile Name Enter a name to identify the profile (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Location Select the scope in which the profile is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select Shared (all virtual systems). In any other context, you can’t select the Location ; its value is predefined as Shared (for firewalls) or as Panorama. After you save the profile, you can’t change its Location.
Administrator Use Only Select this option to specify that only administrator accounts can use the profile for authentication. For firewalls that have multiple virtual systems, this option appears only if the Location is Shared.
Servers For each LDAP server, click Add and enter the host Name, IP address or FQDN ( LDAP Server), and Port (default is 389).
Type Choose the server type from the drop-down.
Base DN Specify the root context in the directory server to narrow the search for user or group information.
Bind DN Specify the login name (Distinguished Name) for the directory server.
Password/Confirm Password Specify the bind account password. The agent saves the encrypted password in the configuration file.
Bind Timeout Specify the time limit imposed when connecting to the directory server (1-30 seconds; default 30 seconds).
Search Timeout Specify the time limit imposed when performing directory searches (1-30 seconds; default 30 seconds).
Retry Interval Specify the interval in seconds after which the system will try to connect to the LDAP server after a previous failed attempt (range is 1–3,600; default is 60).
Require SSL/TLS secured connection Select this option if you want the firewall to use SSL or TLS for communications with the directory server. The protocol depends on the server port: 389 (default)—TLS (Specifically, the firewall uses the Start TLS operation, which upgrades the initial plaintext connection to TLS.) 636—SSL Any other port—The firewall first attempts to use TLS. If the directory server doesn’t support TLS, the firewall falls back to SSL. This option is selected by default.
Verify Server Certificate for SSL sessions Select this option (it is cleared by default) if you want the firewall to verify the certificate that the directory server presents for SSL/TLS connections. The firewall verifies the certificate in two respects: The certificate is trusted and valid. For the firewall to trust the certificate, its root certificate authority (CA) and any intermediate certificates must be in the certificate store under Device > Certificate Management > Certificates > Device Certificates. The certificate name must match the host Name of the LDAP server. The firewall first checks the certificate attribute Subject AltName for matching, then tries the attribute Subject DN. If the certificate uses the FQDN of the directory server, you must use the FQDN in the LDAP Server field for the name matching to succeed. If the verification fails, the connection fails. To enable this verification, you must also select Require SSL/TLS secured connection.

Recommended For You