Reflection for Secure IT Gateway - Administrator’s Guide > Managing Users and Groups > LDAP Server Advanced Domain Settings

LDAP Server Advanced Domain Settings

Users can log into the Transfer Client and Gateway Administrator using just a user ID (for example joe) or using a domain name and user ID (acme\joe). By default, when a user logs in using just a user ID, Reflection Gateway searches all available LDAP servers for a matching user and authenticates the first matching user it finds; it does not search additional LDAP servers if that fails. When no domain name is included, a UserID for a different domain could match and allow login if the passwords for both accounts are the same.

You can use Advanced domain settings on the New/Edit LDAP Server page to customize how Reflection Gateway manages user authentication to your LDAP server(s). The examples below show how login is handled for some possible configurations.

NOTE:Advanced domain settings apply to password authentication only; X.509 certificate authentication always requires user mapping that specifies both a domain and username.

These examples use acme as a sample Active Directory domain. For these examples, this acme is a domain that requires a valid authentication domain name. It can accept both acme and acme.com as the authentication domain name.

Example 1

Domain Name = anyName; Domain Mapping = anyAlias; Remove User Domain= No, Default Authentication Domain = none.

  • Login as validUser: Authentication fails because there is no authentication domain name, and this is required by the acme domain.

  • Login as anyName\validUser or anyAlias\validUser: Authentication fails because anyName and anyAlias are not valid authentication domain names.

  • Login as acme\validUser or acme.com\validUser: Authentication succeeds because acme and acme.com are valid authentication domain names.

Example 2

Domain Name = anyName; Domain Mapping = anyAlias; Remove User Domain= No, Default Authentication Domain = none.

  • Login as validUser: Authentication succeeds because Reflection Gateway adds the value specified for Default Authentication Domain (acme) before authenticating.

  • Login as anyName\validUser or anyAlias\validUser: Authentication fails because anyName and anyAlias are not valid authentication domain names.

  • Login as acme\validUser or acme.com\validUser: Authentication succeeds because acme and acme.com are valid authentication domain names.

Example 3

Domain Name = anyName; Domain Mapping = anyAlias; Remove User Domain= Yes, Default Authentication Domain = none.

The following results are based on the sample acme domain, which requires a valid domain name for authentication:

  • Login as validUser: Authentication fails because there is no authentication domain name, and this is required by the acme domain.

  • Login as anyName\validUser: Authentication fails. Although acme is the valid authentication domain name, it is removed before Reflection Gateway attempts authentication.

  • Login as acme\validUser or acme.com\validUser: Authentication fails because authentication is attempted with no authentication domain name.

If your Active Directory domain does not require an authentication domain, the login attempts above will succeed because each of them presents a valid user ID to the domain. In this case, using anyAlias\validUser improves performance because the Domain Mapping directs Reflection Gateway to authentication to this specific LDAP server. Although anyAlias is not the actual domain authentication name, authentication succeeds because the domain name is removed before Reflection Gateway attempts authentication.

Example 4

This example shows a configuration for handling a merger that brings users from the summit domain in to the acme domain. It enables summit users to log in without modifying their familiar credentials.

Domain Name = anyName; Domain Mapping = anyAlias; Remove User Domain= No, Default Authentication Domain = none.

  • Login as validUser: Authentication succeeds because Reflection Gateway uses the value specified for Default Authentication Domain (acme).

  • Login as acme\validUser or summit\validUser: Authentication succeeds because the entered domain, acme or summit, is removed and default acme is used.

  • Login as anything\validUser: Authentication succeeds. A domain is provided by the user for which no mappings exist. In this case Reflection Gateway tries all configured LDAP servers and applies the directory-specific domain rules for each one. Authentication to the acme domain will succeed because the entered domain anything is removed and replaced by acme.