Page 1 of 1
Ldap query for MS AD for group membership
Posted: 19 Sep 2015 20:20
by miguelp
Hi,
I figured out and tested that for checking if a user is member of my group FullInternetAccess I can use this query:
(&(objectCategory=Person)(memberOf=CN=FullInternetAccess,CN=Users,DC=mydomain,DC=me))
Also I can use:
(&(sAMAccountName=myuser)(memberOf=CN=FullInternetAccess,CN=Users,DC=mydomain,DC=me))
In the documentation the example is:
'cn=worker,ou=groups,dc=example,dc=com' memberUid 'objectclass=posixGroup'
Can you help me understand what this means or translate my query to the format required by CG ?
If I execute the command:
I see:
guard filter ip <null>
guard filter time <null>
guard filter ldap test:
groupDN: DC=mydomain,DC=me
loginAttribute: sAMAccountName
ldapFilter: memberOf=CN=FullInternetAccess,CN=Users
But not working.
How can I know if:
a) The filter is working ?
b) The domain list has been successfully loaded ?
This are my other settings:
guard category WebMail
guard rule bloquea deny: WebMail
guard policy test: ldap test
Thanks,
Miguel
Re: Ldap query for MS AD for group membership
Posted: 20 Sep 2015 07:45
by david
Hi Miguel
I'm happy that you got closer to the right solution. In response to your initial post the documentation says:
An LDAP request filter allows you to define guarding policies where the access for end-users is granted if that LDAP request returns a value. This type of filter is only applicable if the authentication mode is activated and configured adequately (See the command authenticate). To define a filter based on an LDAP request use the keyword filter ldap add followed by a filter name, the LDAP distinguished name of the target LDAP object, the LDAP attribute of the object containing the login name given during the authentication process and an LDAP filter applied to returned objects. The LDAP server...
The filter you tested and works contains "
memberOf=CN=FullInternetAccess,CN=Users,DC=mydomain,DC=me", (instead of "
memberOf=CN=FullInternetAccess,CN=Users"). So why don't you use it as the filter with the command "
guard filter add ldap..."?
To answer your two questions:
- The only way to test the LDAP filter is the usage of a client Web browser.
- You can test your blacklists using the default guard policy. Use the Web GUI "[SECURITY] / [URL Guarding] / [URL Filtering Rules]" or the following command:
Code: Select all
guard rule add default deny [i]<category-name1> <category-name2>...[/i]
Best Regards,
Re: Ldap query for MS AD for group membership
Posted: 20 Sep 2015 14:49
by miguelp
Hello David,
Well I deleted all my configuration and made it again using only the command line. Now it works. (I mean as a global, not using Ldap filter).
I mean I managed to block all webmail pages for all users, but there is something that looks like a bug:
If you go to hotmail.com you see the message from the CG saying:
This content is not allowed -> That is OK
If you go to gmail, the URL changes to
https://mail.google.com/mail/
And then it the browser says that it cannot connect to page. You do not see the CG message, but looks like the page is down -> This is not OK (although the end goal has been achieved, the user cannot access the page)
-------------------------------------------------------------------------------------------------------------------
On the other side I issued the command:
Code: Select all
guard rule del default
guard rule add default allow
But now all websites are blocked.
Any ideas ?
Thanks,
Miguel
Re: Ldap query for MS AD for group membership
Posted: 20 Sep 2015 18:02
by david
Dear Miguel
All those features are normal:
1- When a URL is blocked by CG the end-user is redirected to a blocking page. But when the blocked URL uses HTTPS, the redirection is not possible because SSL/TLS simply doesn't allow that redirection so you get an error in your browser instead of the blocking page.
2- In your new configuration you just configured the default guarding rule in white list mode (with the keyword allow instead of deny). But as you didn't specify any guard category, everything is denied. If you specify the WebMail category for instance, only WebMail websites will be allowed and any other websites will be denied.
Best Regards,
Re: Ldap query for MS AD for group membership
Posted: 23 Sep 2015 06:39
by miguelp
Hello David,
Thanks!
About 2, can I use then:
I suppose this will interpreted as deny nothing, so everything will be accessible.
Then I define my other policies for denying some categories, right ?
Thanks,
Miguel
Re: Ldap query for MS AD for group membership
Posted: 23 Sep 2015 08:59
by david
Hi Miguel
Yes, exactly.
Best Regards,
Re: Ldap query for MS AD for group membership
Posted: 23 Sep 2015 17:57
by miguelp
Hello David,
I've setup a test domain, with test Windows Server, Test CG, etc.
I've also managed to capture the LDAP searches CG is sending to the AD using this
http://www.activedir.org/Articles/tabid ... fault.aspx.
For me it looks like CG send the LDAP Filter query only once, and then it caches that information for some time.
Is possible that this is happening ? For how long does it caches ?
I'm asking this because I'm testing with one user, then I remove the user from my test group and test again. But no more queries from CG to AD. Only the BIND.
Thanks,
Miguel
Re: Ldap query for MS AD for group membership
Posted: 23 Sep 2015 20:47
by david
Dear Miguel
The behaviour you described is normal. With CacheGuard, the TTL (Time To Live) for an authenticated session is 2 hours. The TTL for and LDAP filter is also 2 hours.
Best Regards,
Re: Ldap query for MS AD for group membership
Posted: 24 Sep 2015 06:21
by miguelp
Hi,
OK, this explains why not any of my tests were working.
When configuring / testing, it will be really useful that this can be flushed, or reduce the TTL.
Is this possible ?
Thanks,
Miguel
Re: Ldap query for MS AD for group membership
Posted: 24 Sep 2015 06:36
by david
Hi
Any modification that will make the forwarding proxy restart reinitialize the TTL. For instance you can do the following:
mode compress on
apply
Do your tests.
mode compress off
apply
And so on...
Also you may need to restart your Web browser if you need to retest the authentication phase.
Best Regards