{{ secondMenu.name }}
An enterprise needs to synchronize the organizational structure of the LDAP server with that of the device while maintaining continuous synchronization. To achieve this, LDAP User Sync must be configured on Athena NGFW.
Step 1.Set the LDAP server to be synchronized by specifying the IP address, port, login username, password, etc. For details, see Chapter 6.6.3.3 External Authentication Server.
Step 2.Go to Policies > Authentication > Local Users > LDAP User Sync, click Add, and set synchronization parameters in the Add Sync Policy dialog box.
Step 3.Specify Name, Description, Sync Mode, and Auto Sync. Select Sync by OU for Sync Mode, and Enabled (once a day) for Auto Sync. Automatic synchronization is implemented once a day.
Step 4.In Server Settings, set the information of OUs on the LDAP server to be synchronized.
LDAP Server: Enter the LDAP server to be synchronized. In this example, the server configured in Step 1 is selected.
LDAP Directory: Specify the OUs to be synchronized on the LDAP server. Click Select to select the OUs to be synchronized in the Select OU dialog box. Click Save.
Add top-level OU of selected LDAP directory below specified OU of local directory: When selected, the root domain on the LDAP server will also be synchronized as a group, and the OUs synchronized are its subgroups.
Add bottom-level OU of selected LDAP directory below specified OU of local directory: When selected, the synchronization starts from the selected OU.
Add sub-OU of selected LDAP directory below specified OU of local directory: When selected, the synchronization starts from the sub-OU of the selected OU. The selected OU and its affiliated users will not be synchronized to the device.
OU Depth: Specify the depth of the imported OUs. The value is 10 in this example, indicating that only sub-OUs up to level 9 can be synchronized as user groups to the device. However, users of OUs lower than level 9 can still be synchronized to the device as users under level-9 OUs.
Filter: Specify the filter parameters for synchronization.
Step 1.In Local Settings, set Method and Local Directory, and select whether to enable Allow concurrent logins on multiple terminals.
Method: Whether to synchronize OUs and users. Select an option based on requirements.
Sync LDAP OUs and users to this device: Synchronize OUs as user groups to the device and OU users to the OU user groups.
Sync LDAP users to this device, OU ignored: Synchronize OU users instead of OUs to the device.
Sync LDAP OUs to this device, user ignored: Synchronize OUs but no OU users to the device as user groups. In this example, select Sync LDAP OUs and users to this device to synchronize both OUs and users.
Allow concurrent logins on multiple terminals: The domain account synchronized to the device is a public account by default and can be logged in on multiple PCs. If this option is not selected, the user is a private account and can be logged in on a single PC at a time.
Local Directory: Select an existing group on the device, to which synchronized OUs will be subgroups. In the Select OU dialog box, select the corresponding group.
Step 2.Click OK to complete setting the policy. The added synchronization policy is displayed on the LDAP User Sync page. Click Sync Now to perform a synchronization immediately. Or wait for the daily automatic synchronization.
Step 3.Go to Policies > Authentication > Local Users > Group/User to view the synchronization results, as shown in the following figure. The imported OUs and users are consistent with those on the LDAP server.
If the names of OUs or users to be synchronized duplicate existing user groups or users on the device, the synchronization will fail.
To synchronize security groups from an LDAP server, log in to the web console of the Athena NGFW device, go to Policies > Authentication > User Management > LDAP User Sync, and click Add. In the dialog box that appears, select Sync Security groups by OU (AD domain only) for Syn Mode, and configure other parameters such as Auto Syn, Server Settings, and Local Settings as required.
• Name: Specify the name of the sync policy.
• Description: Enter a description for the sync policy.
• Sync Mode: Select Sync Security groups by OU (AD domain only).
• Auto Sync: Select Enable, and specify the auto sync interval as needed. Then, the system will automatically sync relevant security groups from the selected AD domain server at the specified interval.
• LDAP Server: Select the source server from which security groups will be synchronized. If no LDAP server is available, you can go to Policies > Policies > Authentication > User Authentication > External Auth Server to add an LDAP server. To sync security groups from this LDAP server, make sure that the connectivity to the LDAP server is normal.
• LDAP Directory: Select the security groups to be synced. You can select security groups by specifying an OU. If the OU is specified, all security groups belong to this OU and the subdirectories of this OU will be all synced. Alternatively, you can directly select a security group. This way, only the selected security group will be synced.
• Filter: Specify the filter condition for security group synchronization. For more information about the filter condition, see the descriptions about LDAP search expressions.
• Overwrite local security groups with the same name: Select whether to enable the overwrite feature. By default, a security group originally synced from an AD domain will be overwritten by the last data synced from the same AD domain. If a synced security group is modified on the local Athena NGFW device, it will be automatically changed to a local security group, and will no longer be overwritten. This feature also determines whether to overwrite a local security group if a security group with the same name is synced from a different AD domain or created locally. A Security group will be protected from any overwrite if it contains any local members such as local users, local user groups, or manually added temporary users.
• Add AD domain suffixes: Select whether to add an AD domain suffix for a synced security group. By default, when a security group is synced from an AD domain to Athena NGFW, its name will remain the same, and the corresponding security group in the AD domain will be automatically used as a member of the synced security group. To enable security groups from different AD domains to use the same name, you can select this check box. When this check box is selected, the name of a security group synced from an AD domain will be automatically changed to the "security group name@domain name" format for domain differentiation. For example, there is a security group named "sec" in the AD domain named "sangfor.com". When this security group is synced to Athena NGFW, its name is automatically changed to "sec@sangfor.com", and the "sec" security group in the "sangfor.com" AD domain is automatically used as a remote member of the "sec@sangfor.com" security group.
When a synchronization policy is unwanted, you can delete it. Specifically, go to the LDAP User Sync page, select the synchronization policy to be deleted, and click Delete. The deletion of a synchronization policy will not affect the groups and users already synchronized to the device.
A synchronization log is generated every time the device synchronizes OUs or users from the LDAP server to inform you of the synchronization status. Click View Logs. In the Sync Logs dialog box, select and download the synchronization log you want to view by clicking the corresponding name.
{{ $t('index.defaultHeader.chromeBrowserTip') }}