CacheGuard Help

Dear Miguel

I'm happy to hear that you finally found a solution to make it work even if the workaround is a bit far-fetched I'm curious to know that how you find that we should use the 'sAMAccountType=805306368' filter.

Regarding unencrypted exchanged passwords with an LDAP (or AD) server you have to possibility to use LDAPS. See the commands authenticate ldap server... and authenticate ldap certificate... for further information. Equivalent Web GUI menu options are:

"[SECURITY] / [Users Authentication] / [LDAP Servers] "
and
"[SECURITY] / [TLS Certificates] / [LDAP Certificate]".

But please note that Web navigators always send passwords unencrypted to Web proxies.

Anyway thank you so much for investigating around this issue. As you mentioned, AD is very popular and we certainly need to make CG work with it.

My idea to resolve the issue is as follows:

- Make the ldapFilter optional in order to avoid guessing strange filters
- Make the passwordAttribute optional to allow CG to use LDAP binding instead of comparing the entered password to a given attribute.

We should be able to add this fix to the latest maintenance release which is 1.1.2. I hope that we can publish that release before the end of August 2015.

Which version of CG are you using today?

Best Regards,

Hello,

I'm using version : CG-OS-NG-1.1.1

That attribute I got it from here:
http://www.selfadsi.org/extended-ad/sea ... counts.htm (I checked that all users did have that attr.)

Your proposals sounds great! I will test it as soon as it is released.

Remember that now I'm able to bind, because I'm sending the full path where the user is located:

CN=proxy,OU=pfSense,OU=OficinaCentral,DC=mydomain,DC=me

And in the attributes of user proxy, I did not set any First name nor last name, because then the CN will be First + Last name and spaces were not ok.

Only if do not set First and Last dame the CN is equal to sAMAccountName.

In this case
CN=proxy
sAMAccountName=proxy

If I set the attributes (first and last name, 99% of the cases are set) then

CN=John Doe
sAMAccountName=proxy

Thanks for your time,

Miguel

Dear Miguel

We just released v1.1.2 that among other things fixes issues you've encountered to integrate CG with AD. Feel free to apply the patch to upgrade to this version that you can find at: http://www.cacheguard.net/cacheguard-patch.html. Please read the change logs before applying the patch at http://www.cacheguard.net/doc/guide/changelogs.html.

I would appreciate it if you could tell me if this version properly fixes issues related to AD.

Best Regards,

Hello Charles,

OK , I installed the new version what changes should I do ?

How I can tell CG to authenticate using bind instead of comparing some attribute ?

Thanks,
Miguel

Hello Miguel

You can leave the "Password attribute" and "Filter" fields empty. You can also have white spaces in the bind DN with this new version. Please read the following for further information: http://www.cacheguard.net/doc/command/authenticate.html.

I hope that this version fixes issues you encountered with AD. I look forward to have your feedback.

Best Regards,

Hello,

Yes, it works! Thanks !

Now, one more question:

How can I define rules, for users that belong different OUs in the AD ?

Is that possible?

I want to make something like, if user belongs to OU=xxxxx then It cannot go to domain uuuuuu.com

Thanks,
Miguel

Hi

I'm happy to hear that

To configure the URL guarding based on belonging to an LDAP group, you have to do the following:

- Create a guard category list (GUI: [SECURITY] / / [Category Lists]). - Initialise the guard category list ... rding.html and begin the configuration. If you have any questions regarding the URL guarding, please let us know by posting a new topic in the "Configure the URL Guarding" forum.

Best Regards,