Integration with Active directory

Discuss and get help to configure the Web users authentication
miguelp
Posts: 46
Joined: 17 Aug 2015 13:06

Integration with Active directory

Post by miguelp »

Hi,
My idea is to integrate Cacheguard with my AD.

Basically user A that belongs to group YYYY (in AD) will be not able to see some URL.

Any ideas where to start ?

Thanks,
Miguel
User avatar
charles
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris
Contact:

Re: Integration with Active directory

Post by charles »

Dear Miguel

I moved your post into a newly created Topic that I called "Configure the Authentication". CacheGuard can be integrated with an LDAP server (AD supports LDAP) in order to authentication Web users. For this doing you need to:

- Activate the authentication mode: use the command following command:

Code: Select all

mode authenticate on
- Configure the LDAP authentication with the command 'authenticate" (see the documentation at http://www.cacheguard.net/doc/command/authenticate.html).

- Create the URL guarding according you needs with the command "guard" (see the documentation at http://www.cacheguard.net/doc/command/guard.html).

Of course you can do all those configurations using the Web GUI:

- [GENERAL] / [Main Settings] / [Main Features]
- [SECURITY] / [Users Authentication]
- [SECURITY] / [URL Guarding]

Best Regards,
Charles Tajvidi
IT Technical Architect
http://www.cacheguard.com
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Integration with Active directory

Post by david »

Hi

Also don't forget to activate the guard mode:

Code: Select all

mode guard on
In order to authenticate users with an ldap request you need to create an ldap filter:

Code: Select all

guard filter ldap add ...
Please read http://www.cacheguard.net/doc/guide/security.html#auth for further information.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
miguelp
Posts: 46
Joined: 17 Aug 2015 13:06

Re: Integration with Active directory

Post by miguelp »

Hello,
I managed to make other cache to work with my AD, so I suppose my AD settings are OK.

I have these questions:

1. What is the default value for <login-attr> for a standard AD ?
2. What is the default valuer for <passwd-attr> for a standard AD ?
3. Can I see some kind of log to see what is happening; I mean why the authentication is not working ?

Thanks,
Miguel
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Integration with Active directory

Post by david »

Dear Miguel

I'm not an AD specialist but after having searched a little bit on the Net I found that AD uses an LDAP class called user in order to authenticate users. So attributes and LDAP filter to use with CG would be as follows:

<login-attr>: sAMAccountName
<passwd-attr>: userPassword
<ldap-filter>: 'objectClass=user'

And the command to use would be something like:

Code: Select all

authenticate ldap request 'dc=example,dc=com' sAMAccountName userPassword 'objectClass=user' 'ou=groups,dc=example,dc=com'
(Using Web GUI: [SECURITY] / [Users Authentication] / [LDAP Request])

Please try this and let me know if it works.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
miguelp
Posts: 46
Joined: 17 Aug 2015 13:06

Re: Integration with Active directory

Post by miguelp »

Dear David,
Thanks for the info, but it does not work.

This is what I have in my configuration:

userBaseDN: DC=mydomain,DC=me
loginAttribute: sAMAccountName
passwordAttribute: userPassword
ldapFilter: objectClass=user
groupBaseDN: OU=Pruebas,DC=mydomain,DC=me
groupName: cn=GrInternet

I just replaced the actual name of my domain, with 'mydomain'.

Any other ideas ? Or how can I see the query that is being sent to the AD ?

Also note that I have enabled the BIND option, since anonymous queries are not allowed to the AD by default.

Not sure how to put the user name tough (Bind DN).

The bind in other cache that is working looks like this:

basic_ldap_auth -v 3 -b DC=mydomain,DC=me -D mpadmin@mydomain.me -w MyPasswrod -f "sAMAccount Name=%s" -u uid -P myServer:389

Any ideas how to translate this ?

Thanks,
Miguel
User avatar
charles
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris
Contact:

Re: Integration with Active directory

Post by charles »

Hello Miguel

Actually the groupBaseDN and groupName parts are optional. Please use the CLI (Command Line Interface) and execute the following commands:

Code: Select all

authenticate ldap request 'dc=mydomain,dc=me' sAMAccountName userPassword 'objectClass=user'
apply
Please note that you can't use the Web GUI to apply this configuration because the related Web GUI page (/gui/authenticate-ldap-request.apl) refuses empty entries (this feature should be enhanced in a future version).

Best Regards,
Charles Tajvidi
IT Technical Architect
http://www.cacheguard.com
miguelp
Posts: 46
Joined: 17 Aug 2015 13:06

Re: Integration with Active directory

Post by miguelp »

Hello Charles,

I applied the configuration trough CLI. Still same issue: It ask me for authentication then I type user and password, and ask me again and again and again.

This is what I have now: (textual configuration)

authenticate ldap request:
userBaseDN: dc=mydomain,dc=me
loginAttribute: sAMAccountName
passwordAttribute: userPassword
ldapFilter: objectClass=user
authenticate ldap binddn cn=mpadmin,dc=mydomain,dc=me ...


Thanks,
Miguel
User avatar
charles
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris
Contact:

Re: Integration with Active directory

Post by charles »

Hi

Please double check that you correctly entered the LDAP binding password (/gui/authenticate-ldap-binddn.apl). Nothing is certain...

Also to better identify the problem you're encountering I need to know the version of the AD/Windows Server you use. Actually I'm not sure that the userPassword attribute is the right attribute to consider for the password. Alternatively you can use the unicodePwd attribute and see if it can resolve the problem.

As a workaround you can create a dedicated sub-tree on your AD for authenticated Web users so you can use the class inetOrgPerson which is a standard LDAP class (on the contrary of the the MS class user which is not). This way Web users don't use the same password as the password they use to log into their machines so you reinforce your security (even if it may be considered as a constraint) . You should be aware that the basic authentication protocol implemented on all Web navigators send passwords unencrypted to Web proxies.

Best Regards,
Charles Tajvidi
IT Technical Architect
http://www.cacheguard.com
miguelp
Posts: 46
Joined: 17 Aug 2015 13:06

Re: Integration with Active directory

Post by miguelp »

Hello,
Thanks! Password triple checked, still same issue. The URL (/gui/authenticate-ldap-binddn.apl) did not work tough. (not found)
When using the command line, it asks for the password.
This is the command I'm using for the bind:

Code: Select all

authenticate ldap binddn set 'cn=mpadmin,dc=mydomain,dc=me'
Where mpadmin is a user with all privileges (just for testing)

Also tried the unicodePwd.

I'm using Windows 2012 R2 Standard – 64 bit with latest support pack.

Before going for a dedicated sub-tree, any other ideas what to check ?

Is there any way to see if fails at the bind or at the query ?

Thanks,
MIguel
Post Reply