OpenLDAP SSO Authentication

Configure Access Restrictions to utilize OpenLDAP identities. This enables identity-based policies where users are recognized by their directory username and group membership.

Prerequisites

• OpenLDAP Simple Authentication configured and successful.
• LDAP users and groups must be visible in the LDAP Entities tab.

Enable Authentication in Access Rules

1. Access Restrictions: Go to Application Setup → Access Restrictions → Allow List.
2. Edit Rule: Edit the rule matching your client segment or create a new one.
3. Apply LDAP Profiles:
   • LDAP Profiles: Select specific LDAP groups (e.g., IT_Admins) from the dropdown.
   • Leave blank to apply this rule to all directory users.
4. Enable PAM: Ensure PAM Authentication is set to TRUE.
5. Save Policy: Click the checkmark to save.

Note on Default Rules

SafeSquid includes default entries under the Allow List. You can edit these to quickly map specific LDAP groups to default user-groups like admins or users.

Verification

Action	Method	Expected Result
Test Access	Browse from a client belonging to a mapped LDAP group.	Access is allowed/denied according to the rule.
Check Identity Log	tail -f /var/log/safesquid/identity.log	Shows the authenticated OpenLDAP username for each request.
Review Dashboard	Reports → Detailed Logs	Verify the Username column is populated with directory names.

Troubleshooting

Symptom	Likely Cause	Fix
Authentication prompt appears	No match in LDAP Profiles	Ensure the user is a member of the group specified in the LDAP Profiles field.
User recognized but blocked	Policy restriction	Check the access rules applied to the user-group assigned in the Allow List entry.
No username in logs	PAM set to FALSE	Ensure PAM Authentication is set to TRUE in the matching Allow List rule.

Next steps

• Access Restriction to define policies for your different LDAP groups.
• SSL Inspection to attribute encrypted traffic to specific users.
• Bypass Authentication for automated services.