Configuring Authentication
Figure 5-4 shows the configuration page for configuring an LDAP service with non-user binding. For
many of the options on the LDAP service page, the values you enter are dependent on the configuration
of your LDAP service, so a thorough knowledge of your LDAP implementation is necessary.
You can configure the 700wl Series system to use an external LDAP database for user authentication, and
to retrieve group identity information used to associated the authenticated user with an Identity Profile.
This section also provides specific instructions for:
• Setting up authentication using Active Directory
• Setting up authentication using a Netscape/iPlanet Directory Server
Depending on the configuration of your LDAP server, you can configure the 700wl Series system to either
retrieve the user’s password from the LDAP directory and then authenticate the user, or have the LDAP
directory server do the authentication. The type of authentication you want to do determines the method
you use to establish a session with the LDAP server. Establishing a session is known as binding to the
server.
The bind methods you can use will be dictated by the configuration of your LDAP server.
• Non-User Binding allows the 700wl Series system to bind to the directory service either anonymously,
or using the root Distinguished Name (DN) and password, and retrieve the user’s password. The 700wl
Series system then authenticates the user.
• User Binding specifies that the 700wl Series system should bind to the directory service as if it were the
user, presenting the user’s DN and password. The directory service then authenticates the user.
The bind method you select determines what fields you see on the bottom part of the LDAP configuration
page.
The 700wl Series system also retrieves group identity information for the user from the LDAP server. This
can be done in two ways.
• If group identity information is included in the same record as the rest of the user information, you need
to provide the name of the attribute that contains this information.
• If group identity information is kept in a separate record, you can specify a second search string to
retrieve the group membership in a second operation.
You will need to know the following information about your LDAP database:
• The base Distinguished Name for your database
• The attribute that contains the user logon name
• The attribute that contains the user password, if you are doing a non-user bind, and the method of
encryption that the database uses to encrypt the password
• The bind string that defines the user Distinguished Name, if you are using user binding
• The attribute that contains the group membership identity information, if it is kept in the user record
• The search string to find group membership information if it is kept in a separate record
5-10 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
