Difference between revisions of "Integrate LDAP"
(3 intermediate revisions by the same user not shown) | |||
Line 16: | Line 16: | ||
= <span class="mw-headline" id="Prerequisites">Prerequisites</span> = | = <span class="mw-headline" id="Prerequisites">Prerequisites</span> = | ||
− | Make sure that all the values (LDAP server FQDN, LDAP server IP, Username, password, base dn, domain ) in configuration are correct. If any value is | + | Make sure that all the values (LDAP server FQDN, LDAP server IP, Username, password, base dn, domain ) in configuration are correct. If any value is inappropriate then SafeSquid will fail to fetch the LDAP entries. |
− | + | = <span class="mw-headline" id="Access_the_SafeSquid_User_Interface">[http://2017.swg.safesquid.com/index.php/Access_The_SafeSquid_User_Interface Access the SafeSquid User Interface]</span> = | |
{| border="0" cellpadding="1" cellspacing="1" style="width: 100%" | {| border="0" cellpadding="1" cellspacing="1" style="width: 100%" | ||
Line 26: | Line 26: | ||
|- | |- | ||
| style="width: 987px" | | | style="width: 987px" | | ||
− | + | = <span class="mw-headline" id="Go_to_Application_Setup">Go to Application Setup</span> = | |
[[File:Go to Application setup.png|border|center|Go to Application setup.png|link=]] | [[File:Go to Application setup.png|border|center|Go to Application setup.png|link=]] | ||
Line 33: | Line 33: | ||
|- | |- | ||
| style="width: 987px" | | | style="width: 987px" | | ||
− | + | = <span class="mw-headline" id="Go_to_Integrate_LDAP.C2.A0">Go to Integrate LDAP</span> = | |
[[File:AD integration common3.png|border|left|AD integration common3.png|link=]] | [[File:AD integration common3.png|border|left|AD integration common3.png|link=]] | ||
Line 53: | Line 53: | ||
|- | |- | ||
| style="width: 987px" | | | style="width: 987px" | | ||
− | + | '''Enabled''' | |
Enable or Disable the use of LDAP | Enable or Disable the use of LDAP | ||
Line 82: | Line 82: | ||
|- | |- | ||
| style="width: 987px" | | | style="width: 987px" | | ||
− | == <span class="mw-headline" id="Create_the_New_entry">Create the New entry</span> == | + | === <span class="mw-headline" id="Create_the_New_entry">Create the New LDAP entry</span> === |
[[File:AD integration common9.png|border|left|AD integration common9.png|link=]] | [[File:AD integration common9.png|border|left|AD integration common9.png|link=]] | ||
Line 89: | Line 89: | ||
|- | |- | ||
| style="width: 987px" | | | style="width: 987px" | | ||
− | + | '''Enabled''' | |
Enable or Disable this entry. | Enable or Disable this entry. | ||
Line 102: | Line 102: | ||
|- | |- | ||
| style="width: 1213px" | | | style="width: 1213px" | | ||
− | + | '''Comment''' | |
For documentation, and future references, explain the relevance of this entry with your policies. | For documentation, and future references, explain the relevance of this entry with your policies. | ||
Line 113: | Line 113: | ||
|- | |- | ||
| style="width: 1213px" | | | style="width: 1213px" | | ||
− | + | '''Host Name''' | |
Specify host name of the SafeSquid. | Specify host name of the SafeSquid. | ||
Line 124: | Line 124: | ||
|- | |- | ||
| style="width: 1213px" | | | style="width: 1213px" | | ||
− | + | '''Ldap FQDN\IP''' | |
Enter FQDN of LDAP Server. | Enter FQDN of LDAP Server. | ||
Line 142: | Line 142: | ||
|- | |- | ||
| style="width: 1213px" | | | style="width: 1213px" | | ||
− | + | '''Ldap Port''' | |
− | Specify the Port for LDAP service. | + | Specify the Port for LDAP service. Default Ldap Port is 389. |
− | + | '''Use SSL''' | |
− | Communicate with LDAP service using TLS protocol by | + | Communicate with LDAP service using TLS protocol by copying LDAP service CA certificate into security directory and rename CA certificate to LDAP_CA_FILE.cer file. |
− | '''Note''' | + | '''Note: ''' If you do not wish to verify server certificate then do not mention CA certificate. SafeSquid performs SSL without requesting server certificate. |
<ul style="margin-left: 40px;"> | <ul style="margin-left: 40px;"> | ||
<li>'''TRUE :''' Select this for SSL based LDAP communications.</li> | <li>'''TRUE :''' Select this for SSL based LDAP communications.</li> | ||
Line 164: | Line 164: | ||
|- | |- | ||
| style="width: 968px" | | | style="width: 968px" | | ||
− | + | '''Ldap Bind Method''' | |
Choose the best method for Binding (authenticating) with your Directory Server according to appropriate binding mechanisms. | Choose the best method for Binding (authenticating) with your Directory Server according to appropriate binding mechanisms. | ||
Line 182: | Line 182: | ||
|- | |- | ||
| style="width: 968px" | | | style="width: 968px" | | ||
− | + | '''Query Record Limit''' | |
Specify the maximum number of records that should be fetched in a single LDAP query. | Specify the maximum number of records that should be fetched in a single LDAP query. | ||
− | + | '''Ldap User Filter''' | |
SafeSquid applies LDAP user filter to narrow the scope of entries requested, to search the users in the LDAP. | SafeSquid applies LDAP user filter to narrow the scope of entries requested, to search the users in the LDAP. | ||
Line 192: | Line 192: | ||
By default configuration, LDAP server returns only entries that necessarily match the requirement of objectclass="person and" also have at least one of the attributes of UserPrincipalName or sAMAccountname or uid set. | By default configuration, LDAP server returns only entries that necessarily match the requirement of objectclass="person and" also have at least one of the attributes of UserPrincipalName or sAMAccountname or uid set. | ||
− | + | '''Ldap Group Filter''' | |
Specify the LDAP Group Filter. This is required if the LDAP server does not support Reverse Group Membership. | Specify the LDAP Group Filter. This is required if the LDAP server does not support Reverse Group Membership. | ||
− | '''Note | + | '''Note:''' Microsoft Windows AD server normally supports Reverse Group Membership. |
Legacy OpenLDAP implementations may not have support for Reverse Group Membership. | Legacy OpenLDAP implementations may not have support for Reverse Group Membership. | ||
Line 204: | Line 204: | ||
SafeSquid will apply this filter to narrow the scope of entries requested, to search the groups in the LDAP. | SafeSquid will apply this filter to narrow the scope of entries requested, to search the groups in the LDAP. | ||
− | <u>'''For example if :'''</u>''' '''LDAP Group Filter :''' '''(|(objectclass="posixGroup)(objectclass= | + | <u>'''For example if :'''</u>''' '''LDAP Group Filter :''' '''(|(objectclass="posixGroup)(objectclass=groupofNames)) and, Group" Identifier : member, members, memberof<br/> SafeSquid will constructs filter : (|(objectclass="posixGroup)(objectclass=groupofNames)) and set" member, members, member of as the attributes that may be returned in the ldap search queries.<br/> Thus, LDAP server will return only entries that necessarily match the requirement of objectclass="posixGroup or objectclass=groupofNames.<br">The DN of the resulting entries are considered as Groups and values assigned to attributes of member or members or memberof as the users belonging to the respective Groups.</br"> |
| style="width: 296px" | | | style="width: 296px" | | ||
Line 214: | Line 214: | ||
|- | |- | ||
| style="width: 968px" | | | style="width: 968px" | | ||
− | + | '''Ldap Username''' | |
Specify any one Username to bind LDAP Server. Most OpenLDAP servers allow binding anonymously. In such cases, you may leave this blank.<br/> For Microsoft AD Servers specify a UserPrincipalName (username@domain.com) or sAMAccountname (Username). | Specify any one Username to bind LDAP Server. Most OpenLDAP servers allow binding anonymously. In such cases, you may leave this blank.<br/> For Microsoft AD Servers specify a UserPrincipalName (username@domain.com) or sAMAccountname (Username). | ||
Line 223: | Line 223: | ||
|- | |- | ||
| style="width: 968px" | | | style="width: 968px" | | ||
− | + | '''Ldap Password''' | |
<ul style="margin-left: 40px;"> | <ul style="margin-left: 40px;"> | ||
</ul> | </ul> | ||
− | Specify the Encrypted Password for the above username to bind to Microsoft AD or LDAP Server. When you click on 'Utilities', you will | + | Specify the Encrypted Password for the above username to bind to Microsoft AD or LDAP Server. When you click on 'Utilities', you will get a dialog box to enter password for encrytion. |
− | + | Click on 'Encrypt' button to proceed with password encryption process. | |
'''For Example :''' Test1 is an user present in Microsoft AD Servers. Enter same password for user Test1, encrypt the password and copy the encrypted password. | '''For Example :''' Test1 is an user present in Microsoft AD Servers. Enter same password for user Test1, encrypt the password and copy the encrypted password. | ||
Line 256: | Line 256: | ||
|- | |- | ||
| | | | ||
− | + | '''Ldap Basedn''' | |
Specify the Basedn of the LDAP Server in Ldap format. | Specify the Basedn of the LDAP Server in Ldap format. | ||
− | '''For example : | + | '''For example : ''' For Domain of Active Directory : safesquid.test, enter your Basedn as : dc=safesquid,dc=test |
− | |||
− | |||
[[File:Simple auth19.png|border|left|Simple auth19.png|link=]] | [[File:Simple auth19.png|border|left|Simple auth19.png|link=]] | ||
Line 271: | Line 269: | ||
|- | |- | ||
| | | | ||
− | + | '''Ldap Domain''' | |
Specify the LDAP Domain name, for the users, who must be authenticated as users of this LDAP server. | Specify the LDAP Domain name, for the users, who must be authenticated as users of this LDAP server. | ||
Line 286: | Line 284: | ||
|- | |- | ||
| | | | ||
− | + | '''Login Attributes''' | |
Specify the attributes of a user's entry in LDAP server, that can be permitted for being used for validating user's credentials. Any or all attributes that are unique for each user in the LDAP server, can be specified here. | Specify the attributes of a user's entry in LDAP server, that can be permitted for being used for validating user's credentials. Any or all attributes that are unique for each user in the LDAP server, can be specified here. | ||
Line 296: | Line 294: | ||
'''Note :''' The list of Login Attributes is comma separated, and unnecessary spaces must be removed. | '''Note :''' The list of Login Attributes is comma separated, and unnecessary spaces must be removed. | ||
− | + | '''Group Identifier''' | |
Specify the LDAP Attributes that may be used to as Group Identifiers, identify a user's group membership. | Specify the LDAP Attributes that may be used to as Group Identifiers, identify a user's group membership. | ||
Line 334: | Line 332: | ||
|} | |} | ||
− | '''Note :''' You can use Search Text Box to search users from AD(Active Directory) / Open LDAP. Login Attribute menu is used to search users or OU(Organizational Unit) from AD(Active Directory) / Open LDAP. | + | '''Note:''' You can use Search Text Box to search users from AD(Active Directory) / Open LDAP. Login Attribute menu is used to search users or OU(Organizational Unit) from AD(Active Directory) / Open LDAP. |
|} | |} | ||
[[Category:Configuration]] | [[Category:Configuration]] |
Latest revision as of 18:35, 29 November 2019
Contents
Integration of LDAP
Here I am integrating my Active Directory with following information.
Active Directory FQDN : ad.safesquid.test
IP Address : 192.168.221.1
User Name : administrator@safesquid.test
Domain of Active Directory : safesquid.test
Basedn : dc=safesquid,dc=test
Prerequisites
Make sure that all the values (LDAP server FQDN, LDAP server IP, Username, password, base dn, domain ) in configuration are correct. If any value is inappropriate then SafeSquid will fail to fetch the LDAP entries.
Access the SafeSquid User Interface
![]() |
|
Go to Application Setup![]() |
|
Go to Integrate LDAP![]() |
|
GlobalIntegrate with Microsoft Active Directory or OpenLDAP. SafeSquid can also use the Directory Server for authenticating the users. This will be useful specially when a user cannot be authenticated via Kerberos/SSO. ![]() |
|
Enabled Enable or Disable the use of LDAP
![]() |
|
![]() |
|
![]() |
|
LDAP serversYou can configure more than one LDAP server here Users from all the enabled entries are fetched by SafeSquid and can be viewed in 'LDAP Entries'. ![]() |
|
Create the New LDAP entry![]() |
|
Enabled Enable or Disable this entry.
|
Comment For documentation, and future references, explain the relevance of this entry with your policies. That is, by reading the policies, a future user can understand the purpose of that entry. ![]() |
|
Host Name Specify host name of the SafeSquid. In a network with multiple LDAP Servers, and multiple SafeSquid Proxy Servers deployed in Master-Slave mode, this field can be used to specify the Host Name of the Proxy Server, which communicates with the LDAP Server configured. Leave this field blank if this is the only SafeSquid proxy, or if you want all the proxies to communicate with the LDAP server configure. |
|
Ldap FQDN\IP Enter FQDN of LDAP Server.
![]() |
|
![]() |
|
Ldap Port Specify the Port for LDAP service. Default Ldap Port is 389. Use SSL Communicate with LDAP service using TLS protocol by copying LDAP service CA certificate into security directory and rename CA certificate to LDAP_CA_FILE.cer file. Note: If you do not wish to verify server certificate then do not mention CA certificate. SafeSquid performs SSL without requesting server certificate.
![]() |
Ldap Bind Method Choose the best method for Binding (authenticating) with your Directory Server according to appropriate binding mechanisms. |
||||||||||||||
![]() |
||||||||||||||
Query Record Limit Specify the maximum number of records that should be fetched in a single LDAP query. Ldap User Filter SafeSquid applies LDAP user filter to narrow the scope of entries requested, to search the users in the LDAP. By default configuration, LDAP server returns only entries that necessarily match the requirement of objectclass="person and" also have at least one of the attributes of UserPrincipalName or sAMAccountname or uid set. Ldap Group Filter Specify the LDAP Group Filter. This is required if the LDAP server does not support Reverse Group Membership. Note: Microsoft Windows AD server normally supports Reverse Group Membership. Legacy OpenLDAP implementations may not have support for Reverse Group Membership. If the LDAP server supports Reverse Group Membership then leave this field blank. SafeSquid will apply this filter to narrow the scope of entries requested, to search the groups in the LDAP. For example if : LDAP Group Filter : (|(objectclass="posixGroup)(objectclass=groupofNames)) and, Group" Identifier : member, members, memberof |
||||||||||||||
![]()
|
||||||||||||||
Ldap Username Specify any one Username to bind LDAP Server. Most OpenLDAP servers allow binding anonymously. In such cases, you may leave this blank. ![]() |
||||||||||||||
Ldap Password Specify the Encrypted Password for the above username to bind to Microsoft AD or LDAP Server. When you click on 'Utilities', you will get a dialog box to enter password for encrytion. Click on 'Encrypt' button to proceed with password encryption process. For Example : Test1 is an user present in Microsoft AD Servers. Enter same password for user Test1, encrypt the password and copy the encrypted password. ![]()
![]()
Note: You can use Search Text Box to search users from AD(Active Directory) / Open LDAP. Login Attribute menu is used to search users or OU(Organizational Unit) from AD(Active Directory) / Open LDAP. |