Ldap query for MS AD for group membership

Discuss and get help to configure the URL filtering
Post Reply
miguelp
Posts: 46
Joined: 17 Aug 2015 13:06

Ldap query for MS AD for group membership

Post by miguelp »

Hi,

I figured out and tested that for checking if a user is member of my group FullInternetAccess I can use this query:

(&(objectCategory=Person)(memberOf=CN=FullInternetAccess,CN=Users,DC=mydomain,DC=me))

Also I can use:
(&(sAMAccountName=myuser)(memberOf=CN=FullInternetAccess,CN=Users,DC=mydomain,DC=me))

In the documentation the example is:
'cn=worker,ou=groups,dc=example,dc=com' memberUid 'objectclass=posixGroup'

Can you help me understand what this means or translate my query to the format required by CG ?

If I execute the command:

Code: Select all

guard filter
I see:
guard filter ip <null>
guard filter time <null>
guard filter ldap test:
groupDN: DC=mydomain,DC=me
loginAttribute: sAMAccountName
ldapFilter: memberOf=CN=FullInternetAccess,CN=Users

But not working.

How can I know if:

a) The filter is working ?
b) The domain list has been successfully loaded ?


This are my other settings:

guard category WebMail
guard rule bloquea deny: WebMail
guard policy test: ldap test


Thanks,
Miguel
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Ldap query for MS AD for group membership

Post by david »

Hi Miguel

I'm happy that you got closer to the right solution. In response to your initial post the documentation says:
An LDAP request filter allows you to define guarding policies where the access for end-users is granted if that LDAP request returns a value. This type of filter is only applicable if the authentication mode is activated and configured adequately (See the command authenticate). To define a filter based on an LDAP request use the keyword filter ldap add followed by a filter name, the LDAP distinguished name of the target LDAP object, the LDAP attribute of the object containing the login name given during the authentication process and an LDAP filter applied to returned objects. The LDAP server...
The filter you tested and works contains "memberOf=CN=FullInternetAccess,CN=Users,DC=mydomain,DC=me", (instead of "memberOf=CN=FullInternetAccess,CN=Users"). So why don't you use it as the filter with the command "guard filter add ldap..."?

To answer your two questions:

- The only way to test the LDAP filter is the usage of a client Web browser.

- You can test your blacklists using the default guard policy. Use the Web GUI "[SECURITY] / [URL Guarding] / [URL Filtering Rules]" or the following command:

Code: Select all

guard rule add default deny [i]<category-name1> <category-name2>...[/i]
Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
miguelp
Posts: 46
Joined: 17 Aug 2015 13:06

Re: Ldap query for MS AD for group membership

Post by miguelp »

Hello David,

Well I deleted all my configuration and made it again using only the command line. Now it works. (I mean as a global, not using Ldap filter).

I mean I managed to block all webmail pages for all users, but there is something that looks like a bug:

If you go to hotmail.com you see the message from the CG saying:
This content is not allowed -> That is OK

If you go to gmail, the URL changes to https://mail.google.com/mail/
And then it the browser says that it cannot connect to page. You do not see the CG message, but looks like the page is down -> This is not OK (although the end goal has been achieved, the user cannot access the page)
-------------------------------------------------------------------------------------------------------------------
On the other side I issued the command:

Code: Select all

guard rule del default
guard rule add default allow
But now all websites are blocked.
Any ideas ?
Thanks,
Miguel
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Ldap query for MS AD for group membership

Post by david »

Dear Miguel

All those features are normal:

1- When a URL is blocked by CG the end-user is redirected to a blocking page. But when the blocked URL uses HTTPS, the redirection is not possible because SSL/TLS simply doesn't allow that redirection so you get an error in your browser instead of the blocking page.

2- In your new configuration you just configured the default guarding rule in white list mode (with the keyword allow instead of deny). But as you didn't specify any guard category, everything is denied. If you specify the WebMail category for instance, only WebMail websites will be allowed and any other websites will be denied.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
miguelp
Posts: 46
Joined: 17 Aug 2015 13:06

Re: Ldap query for MS AD for group membership

Post by miguelp »

Hello David,
Thanks!

About 2, can I use then:

Code: Select all

rule add default deny
I suppose this will interpreted as deny nothing, so everything will be accessible.

Then I define my other policies for denying some categories, right ?

Thanks,
Miguel
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Ldap query for MS AD for group membership

Post by david »

Hi Miguel

Yes, exactly.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
miguelp
Posts: 46
Joined: 17 Aug 2015 13:06

Re: Ldap query for MS AD for group membership

Post by miguelp »

Hello David,

I've setup a test domain, with test Windows Server, Test CG, etc.

I've also managed to capture the LDAP searches CG is sending to the AD using this http://www.activedir.org/Articles/tabid ... fault.aspx.

For me it looks like CG send the LDAP Filter query only once, and then it caches that information for some time.

Is possible that this is happening ? For how long does it caches ?

I'm asking this because I'm testing with one user, then I remove the user from my test group and test again. But no more queries from CG to AD. Only the BIND.



Thanks,
Miguel
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Ldap query for MS AD for group membership

Post by david »

Dear Miguel

The behaviour you described is normal. With CacheGuard, the TTL (Time To Live) for an authenticated session is 2 hours. The TTL for and LDAP filter is also 2 hours.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
miguelp
Posts: 46
Joined: 17 Aug 2015 13:06

Re: Ldap query for MS AD for group membership

Post by miguelp »

Hi,
OK, this explains why not any of my tests were working.
When configuring / testing, it will be really useful that this can be flushed, or reduce the TTL.
Is this possible ?
Thanks,
Miguel
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Ldap query for MS AD for group membership

Post by david »

Hi

Any modification that will make the forwarding proxy restart reinitialize the TTL. For instance you can do the following:
mode compress on
apply
Do your tests.
mode compress off
apply
And so on...

Also you may need to restart your Web browser if you need to retest the authentication phase.

Best Regards
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
Post Reply