Panasonic NN46110-600 User Manual

Chapter 2 Configuring servers 37

Figure 6

LDAP proxy user authentication

|7 Enable Access to LDAP Proxy Server

LDAP V3-compliant LDAP server

LDAP controls are an extension of the LDAP protocol in LDAP/V3. They pass

extended information with LDAP requests and responses. Netscape Directory

Server 3.0 and higher use LDAP controls to return password information within

bind responses. This information determines if the user's password is expiring or

already expired.

When you configure the VPN Router to use an external LDAP authentication

server, it informs users that their passwords are expired or expiring and allows the

client to change the password. If the RACF server password is expired, the VPN

Router sends the password in the form oldPw/newPw. For Netscape Directory, the

VPN Router sends the LDAP modify request to modify the password and

password time stamp attributes.

Note:

The VPN Router currently supports MD4, MD5, SHA and clear

text methods. The VPN Router does not support the Unix CRYPT and

SSHA (Salted Secure Hashing Algorithm) encryption methods;

therefore, if passwords saved in LDAP proxy are encrypted using these

methods, the password change is not successful.

LDAP controls are only passed back when performing a user bind. An

administrative bind does not trigger password expiration controls. This means that

the password must be available in plain text to perform the bind, such as PAP

within IPsec authentication, as used by the VPN Client.

Nortel VPN Router Security — Servers, Authentication, and Certificates