LDAP authentication

Published: January 11, 2010

Updated: February 15, 2013

Applies To: Unified Access Gateway

Some of the Forefront Unified Access Gateway 2010 SP3 features discussed in this article may be deprecated and may be removed in subsequent releases. For a complete list of deprecated features, see Features Deprecated in Forefront UAG SP3.

Lightweight Directory Access Protocol (LDAP) is an Internet protocol for querying and modifying directory services. The LDAP authentication server keeps information about users, including authentication information such as user properties and authentication scripts, in special-purpose databases termed as Directories. When a connection request arrives at the Forefront Unified Access Gateway (UAG), the user name and password are authenticated against the LDAP Directory.

Forefront UAG implements the following LDAP authentication schemes:

  • Netscape Directory Server (V. 4.1)

  • Notes Directory Server

  • Novell Directory Server

  • Active Directory Lightweight Directory Services (AD LDS) for Windows Server 2008, and Active Directory directory service for Windows Server 2003 or Windows 2000 Server.

The supported LDAP authentication schemes are capable of the following:

  • Operating with two LDAP authentication servers—If the primary LDAP server fails, Forefront UAG accesses the alternate LDAP server.

  • Supporting a secure port—If the authentication server uses a secure port, Forefront UAG uses a secure connection, even if this was not configured when the scheme was defined.

  • In the Novell Directory Server, unique users do not need to enter their context when entering the user name. A unique user appears only in one context in the tree, or if a "Base" is defined, the user appears only in one context under the Base.

LDAP authentication flow

The following figure illustrates the authentication process for users when the LDAP authentication scheme is implemented with one authentication server.

The flow allows for three login attempts, after which login failure is final. The number of login attempts users are allowed is configurable.

LDAP Authentication Flow