SonicWall OpenDirectory User Authentication

I answered a message on the OS X Server Administrator's list regarding how to set up a SonicWall Pro Series appliance to authenticate users against OpenDirectory. I promptly started receiving more questions directly from people trying to accomplish the same thing. Since not all lists are attachment-friendly, here are snapshots of the settings I'm using in one case. Please note that a) this could be more secure, and b) I've redacted where necessary.

Step 1: Log into the firewall and choose the "Users" tab in the nav bar. You should see a dropdown menu with authentication options.


Figure 1 - SonicWall authentication options

Step 2: Choose "LDAP + Local Users" and then click the "Configure..." button.

Step 3: Match up your settings as necessary:


Figure 2: Main settings tab

Move onto the "Schema" tab:


Figure 3 - Mapping into OD Schema

Then, move onto the actual LDAP configuration. Clearly, this needs to match up to your configuration on the OS X Server side, which can be checked in Server utility:


Figure 4 - SonicWall LDAP configuration

The remaining tabs are really situation dependent, so, I won't cover them here. The above information should be enough for a successful "test" on the "Test" tab. In figure 4, by the way, I'm not using groups, so, there's a bit of a bogus value in there.

Questions? Post 'em and I'll see what I can do.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes. it, thanks. it, thanks. That was a result of porting the site over from WordPress....and trying not to visit every post in the process!

It looks like the problems

It looks like the problems that we initially had with getting this to work may have been down to our firmware on the Sonicwall being out of date. We recently flashed up to SonicOS Enhanced and LDAP connection now works just fine. Hope this helps anybody who was having problems.


LDAP update..... Don't worry

LDAP update.....

Don't worry about the Qualified login attribute, you can leave that blank.

Also the above setting will make the VPN login use the OD short name. You can make it use the long name by choosing 'User Defined' LDAP schema and setting the following
Object class: inetOrgPerson
Login name attribute: cn
User group:
Object class: groupOfNames
Member attribute: member
-is Distinguished Name

Don't forget to update firmware

Scott Morabito
Tech Superpowers, Boston MA USA