How to Configure an LDAP User Directory

The Barracuda SecureEdge Manager allows you to configure an LDAP user directory. The user directory retrieves users and groups from multiple sources and syncs them into an LDAP user directory. Multiple user sources are available. The configuration steps required depend on the user directory you use.

Note that LDAP support is currently limited to Active Directory only.

Configure LDAP

To add an LDAP user directory:

Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.
The chosen Tenant/Workspace is displayed in the top menu bar.
Click the expandable drop-down menu and and select the workspace you want to configure the LDAP user directory for.
Go to Identity > Settings.
The Settings page opens. In the User Directories section, click Add User Directory.
From the user directory drop-down menu, select LDAP. Note: Ensure that the LDAP server is reachable from the internet.
The Add User Directory page opens.
In the User Directory tab, specify the values for the following:
- Display Name – Create a display name to represent the user directory.
- Host– Enter the host.
- Port– Enter the port.
- User Search Base – Enter user search base. E.g.,dc=mydomain.com, dc=com
- Group Search Base – Enter user search base. E.g.,dc=mydomain.com, dc=com
- Groups Included – Enter the group to be included. To add more groups, click +. Note: For the group filter to work, you must provide the exact group name.
Click Next.
In the Authentication tab, specify the values for the following:
- Authentication Method – Select authentication method from the drop-down menu. You can choose between Simple, Anon, NTLM, SASL External, and SASL Kerberos.
  - If you select authentication method as Simple, specify values for the following:
    - Username – Enter username.
    - Password – Enter password.
  - If you select Authentication Method either as a Anon or NTLM, there is no need to specify additional parameters.
  - If you select Authentication Method either as a SASL External or SASL Kerberos, specify a value for the following:
    - SASL Credentials – Enter SASL credentials.
Click Next.
In the TLS Settings tab, specify the values for the following:
- Encryption Method – Select encryption method from the drop-down menu. You can choose between None, StartTLS, and TLS.
  - If you select None, there is no need to specify additional parameters. For example, in this case, select None.
  - If you select Encryption Method either as a StartTLS or TLS, specify the following parameters:
    - SNI Hostname – Enter SNI hostname.
    - Private Key – Click Upload file and upload your private key.
    - Password – Enter password.
    - Public Key – Click Upload file and upload your private key.
    - CA Certificates – Click Upload file and upload your certificate.
    - Check Certificate – Click to enable/disable.
    - Check Hostname – Click to enable/disable
    - Certificate Additional Names – Enter additional name for certificates.
Click Save.
In the User Directories section, a new LDAP user directory has been added, and the STATUS is shown as Pending. The directory sync may take a few minutes.
After the directory sync is completed, verify that in the User Directories table, under the fieldname STATUS, the text has changed to Completed with a green check mark.

In addition, information under the fieldname LAST SYNC displays the time the last sync occurred. The field name SYNC RESULT displays the number of users or groups already synced. Verify that you see all LDAP directory users and groups on the respective Identity > Users and Identity > Groups pages.

Edit LDAP

To edit the LDAP user directory:

Select the workspace you want to edit the LDAP user directory for.
Go to Identity > Settings.
The Settings page opens. In the User Directories section, you can see that LDAP is displayed as your user directory.
To edit your LDAP account, click on the pencil icon.
The Edit User Directory page opens. Edit the value you are interested in. Note: All field names of LDAP user directory are editable.
Click Save.

Remove LDAP

To remove the LDAP directory associated with the selected workspace:

Select the workspace you want to remove the LDAP user directory for.
Go to Identity > Settings. The Settings page opens.
In the User Directories section, you can see your LDAP user directory is displayed.
To remove an existing LDAP user directory, click on the trash can icon.
The Delete User Directory <Name of Your User Directory> page opens.
Click Ok to confirm.

You can verify the following:

You can verify that the previous users/groups from the LDAP user directory are not shown on the Identity > Users and Identity > Groups pages.
For your selected workspace, you can now configure a new user directory of your choice. You can verify that the users/groups from this new user directory are available in the security policies drop-down menu and are shown on the respective Identity > Users and Identity > Groups pages.

Caution before deleting your existing user/group directory via the Identity > Settings tab: If you delete a directory and add a new one (or add the same directory again), all existing security and access policies regarding your user/group directory must be updated. Users who are already enrolled will still have access. Please use the Enrolled Users page to manage who should be deleted.

(Optional) Sync with LDAP

If you must sync the LDAP user directory quickly, proceed with the following steps:

On the Settings page, go to the User Directories section, and click the icon of three vertical dots to sync the user directory.
Click Sync.
The User Directory sync started pop-up window opens.

You will soon see that the sync has fetched and updated the users and groups in the identity management associated with the LDAP user directory. Verify that you see all LDAP directory users and groups on the Identity > Users and Identity > Groups pages after the successful sync.

(Optional) Test Connectivity

If you must test the connectivity of your LDAP user directory quickly, proceed with the following steps:

On the Settings page, go to the User Directories section, and click the icon of three vertical dots to test the connectivity of the user directory.
Click Test Connectivity.
The Testing <Name-of-Your-Directory> Connection pop-up window opens.

You can verify the status of your LDAP connection.

Advanced Settings for the LDAP User Directory

You can also configure advanced settings for the LDAP user directory. After creating a new LDAP sync, the User Email field is set to userPrincipalNameon the Advanced settings page.

Select the workspace where you want to configure advanced settings for your LDAP user directory.
Go to Identity > Settings.
The Settings page opens. In the User Directories section, you can see that LDAP is displayed as your user directory.
To edit your LDAP account, click on the pencil icon.
The Edit User Directory page opens.
In the Advanced tab, set the User Email field to userPrincipalName. For example, in the LDAP directory (2008 version), there are three users, as follows:
- A user named Email but no UPN with the mail attribute set to gotemailbutnoupn@qawin2k8.com but where the userPrincipalName is not set.
- A user named UPN and Email User with the mail attribute set to iamemail@qawin2k8.com and where the userPrincipalName is set to upnandemailuser@qawin2k8.com.
- A user named UPN but no Email without the mail attribute set and where the userPrincipalName is set to upnbutnoemail@qawin2k8.com.
- The following is a detailed list of parameters for advanced settings for the LDAP User Directory:

Attribute	Description	Default Value

Attribute	Description	Default Value
User Class Filter	Query filter to find user objects	`(&(objectCategory=person)(objectClass=user))`
User Search Scope	Scope to find user objects	`subtree`
User Uuid	Specify user UUID attribute	`objectGUID`
User Name	Attribute to get user name from	`displayName,name,cn`
User Email	Attribute to get user email from	`userPrincipalName,email,mailNickName`
User Disabled Filter	Attribute to get user disabled state from	`(userAccountControl:1.2.840.113556.1.4.803:=2)`
User Phone	Attribute to get user phone from	`telephoneNumber,mobile,homephone`
User Modified	Attribute to check user for last modification	`modifyTimestamp`
User Deleted Filter	Search query to find deleted users	`(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(isDeleted=TRUE)`
User Deleted Controls	Control OID for deleted users	`1.2.840.113556.1.4.417`
Group Class Filter	Query filter to find group objects	`(&(objectCategory=group)(objectClass=group))`
Group Search Scope	Scope to find group objects	`subtree`
Group Uuid	Specify group UUID attribute	`objectGUID`
Group Name	Attribute to get group name from	`name`
Group Modified	Attribute to check group for last modification	`modifyTimestamp`
Group Deleted Filter	Search query to find deleted groups	`(objectClass=group)(isDeleted=TRUE)`
Group Deleted Controls	Control OID for group deleted	`1.2.840.113556.1.4.417`
Membership Object	Marks which object represents the group membership on the directory	`group`
Membership Attribute	LDAP membership attribute	`member`

Click Save.

After configuration is complete, verify that you see all LDAP directory (2008 version) users on the Identity > Users page.

You can see users synced with the following emails:

A user Email but no UPN with no email
A user UPN and Email User with email upnandemailuser@qawin2k8.com
A user UPN but no Email with email upnbutnoemail@qawin2k8.com

Further Information

For more information on how to verify LDAP users and groups, see How to Verify Identity Management Users and Groups.
For more information on how to connect your LDAP user directory with Barracuda Cloud Control, see LDAP Active Directory.