2.10.3. LDAP Authentication

This authentication method is the preferred solution for medium and large network environments. Users will have to authenticate when accessing web sites by entering a valid username and password. The credentials are verified against an external Server using the Lightweight Directory Access Protocol (LDAP).

LDAP authentication will be useful if you have already a directory service in your network and don't want to maintain additional user accounts and passwords for web access.

The Advanced Proxy works with these types of LDAP Servers:

As an option, membership for a certain group can be required.

Note

The protocol LDAPS (Secure LDAP) is not supported by the Advanced Proxy.

LDAP Authentication

If you are unsure about your internal directory structure, you can examine your LDAP server using the command line based ldapsearch tool.

Windows clients can use the free and easy to use Softerra LDAP browser for this: http://www.ldapbrowser.com

2.10.3.1. Global authentication settings

Global authentication settings section

Number of authentication processes The number of background processes listening for requests. The default value is 5 and should be increased if authentication takes too long or Windows integrated authentication falls back to explicit authentication.

Authentication cache TTL Duration in minutes how long credentials will be cached for each single session. If this time expires, the user has to re-enter the credentials for this session. The default is set to 60 minutes, the minimum will be 1 minute. The TTL will always be reset when the user sends a new request to the Proxy Server within a session.

Note

If the user opens a new session, the credentials must always be entered, even if the TTL has not expired for another session.

Limit of IP addresses per user (optional).  Number of source IP addresses a user can be logged in at one time. The IP address will be released after the time defined at User/IP cache TTL.

Note

This takes no effect if running Local authentication and the user is a member of the “Extended” group.

User/IP cache TTL Duration in minutes, how long relations between each user name and the used IP address will be cached. The default value is 0 (disabled).

A value greater than 0 is only reasonable while using a limit for concurrent IP addresses per user.

Require authentication for unrestricted source addresses By default authentication is required even for unrestricted IP addresses. If you don't want to require authentication for these addresses, untick this box.

Authentication realm prompt This text will be shown in the authentication dialog. The default is “IPCop Advanced Proxy Server”.

Destinations without authentication This allows you to define a list of destinations that can be accessed without authentication.

Note

Any domains listed here are destination DNS domains and not source Windows NT domains.

Examples:

Entire domains and subdomains

*.example.net
*.google.com

Single hosts

www.example.net
www.google.com

IP addresses

81.169.145.75
74.125.39.103

URLs

www.example.net/download
www.google.com/images

Note

You can enter all of these destination types in any order.

Example for Windows Update.

To allow access to Windows Update without authentication add these destinations to the list:

*.download.microsoft.com
*.windowsupdate.com
windowsupdate.microsoft.com

2.10.3.2. Common LDAP settings

Common LDAP settings section

Base DN This is base where to start the LDAP search. All subsequent Organizational Units (OUs) will be included.

Refer to your LDAP documentation for the required format of the base DN.

Example Base DN for Active Directory:

cn=users,dc=ads,dc=local

This will search for users in the group users in the domain ads.local

Example Base DN for eDirectory:

ou=users,o=acme

This will search for users in the Organizational Unit users (and below) in the Organization acme

Note

If the Base DN contains spaces, you must “escape” these spaces using a backslash.

Example for a Base DN containing spaces:

cn=internet\ users,dc=ads,dc=local

LDAP type You can select between different types of LDAP implementations:

  • Active Directory (ADS)

  • Novell eDirectory (NDS)

  • LDAP v2 and v3

LDAP Server Enter the IP address of your LDAP Server.

Port Enter the port your LDAP Server is listening to LDAP requests. The default is 389.

Note

The protocol LDAPS (Secure LDAP, port 636) is not supported by the Advanced Proxy.

2.10.3.3. Bind DN settings

Bind DN settings section

Bind DN username Enter the full distinguished name for a Bind DN user.

Note

A Bind DN user is required for Active Directory and eDirectory.

The Bind DN user must be allowed to browse the directory and read all user attributes.

If the Bind DN username contains spaces, you must “escape” these spaces using a backslash.

Bind DN password Enter the password for the Bind DN user.

2.10.3.4. Group based access control

Group based access control section

Required group (optional).  Enter the full distinguished name of a group for authorized Internet users.

In addition to a correct authentication, a membership within this group will be required for web access.

Note

If the group name contains spaces, you must “escape” these spaces using a backslash.