advproxy - The Advanced Web Proxy add-on

   

HOWTO: Configuring Active Directory LDAP authentication

The following guidance is a step-by-step instruction for configuring the authentication using Active Directory via LDAP for Advanced Proxy running on IPCop or SmoothWall.

Anyway, it would be a good idea to read the manual first.

Configuring Active Directory LDAP authentication for Advanced Proxy

Step 1: Create the Bind DN user account

Open the MMC snap-in Active Directory Users and Computers.

Right click on the domain and select New > User from the menu (figure 1).

Figure 1
Figure 1 (click to enlarge)

Enter the name for the Bind DN user (figure 2). Make sure that the username does not contain spaces or special characters.

Figure 2
Figure 2 (click to enlarge)

Enter the password for the Bind DN user and select the options User cannot change password and Password never expires. Make sure that the option User must change password at next logon is unchecked (figure 3).

Figure 3
Figure 3 (click to enlarge)

Complete the Wizard to create the Bind DN user (figure 4). The Active Directory username will be

ldapbind@ads.local

and the LDAP DN will be

cn=ldapbind,dc=ads,dc=local

Figure 4
Figure 4 (click to enlarge)

This account will be used to bind the Advanced Proxy to the LDAP server. This is necessary because Active Directory doesn't allow anonymous browsing.

Step 2: Grant appropriate access rights to the Bind DN user

Right click the domain and select Delegate Control from the menu (figure 5).

Figure 5
Figure 5 (click to enlarge)

Start the Control Delegation Wizard and select the ldapbind user account (figure 6).

Figure 6
Figure 6 (click to enlarge)

Select Create a custom task to delegate (figure 7).

Figure 7
Figure 7 (click to enlarge)

Restrict delegation to User objects (figure 8).

Figure 8
Figure 8 (click to enlarge)

Set permissions to Read All Properties (figure 9).

Figure 9
Figure 9 (click to enlarge)

Now complete the Control Delegation Wizard.

Step 3: Configure Advanced Proxy for LDAP authentication

Open the Advanced Proxy GUI page, select LDAP from the section Authentication method and hit Save.

Note: If you are configuring LDAP authentication for the first time, Advanced Proxy may complain about the missing LDAP Base DN.

Now enter the following LDAP settings into the Advanced Proxy GUI (figure 10):

  • Base DN: The start where the LDAP search begins
  • LDAP type: Active Directory
  • LDAP Server: The IP address of your Windows LDAP Server
  • Port: The port your Windows Server listens to LDAP requests
  • Bind DN username: The LDAP DN of the Bind DN user
  • Bind DN password: The password for the Bind DN user

Figure 10
Figure 10 (click to enlarge)

Save the settings and restart the Advanced Proxy by clicking the Save and restart button. Congratulations, LDAP authentication is working now ...

 

Configuring LDAP group based access control

Step 1: Create a group for authorized users

Open the MMC snap-in Active Directory Users and Computers.

Right click on the Users folder and select New > Group from the menu (figure 11).

Figure 11
Figure 11 (click to enlarge)

Enter the name for the new group (figure 12).

Figure 12
Figure 12 (click to enlarge)

Add all authorized users to this group (figure 13).

Figure 13
Figure 13 (click to enlarge)

Note: It's possible to add users from different Organizational Units to this group.

Step 2: Configure LDAP authentication with group based access control

Open the Advanced Proxy GUI page, select LDAP from the section Authentication method and hit Save.

Note: If you are configuring LDAP authentication for the first time, Advanced Proxy may complain about the missing LDAP Base DN.

Now enter the following LDAP settings into the Advanced Proxy GUI (figure 10):

  • Base DN: The start where the LDAP search begins
  • LDAP type: Active Directory
  • LDAP Server: The IP address of your Windows LDAP Server
  • Port: The port your Windows Server listens to LDAP requests
  • Bind DN username: The LDAP DN of the Bind DN user
  • Bind DN password: The password for the Bind DN user
  • Required group: The DN for a group with authorized user accounts

Figure 14
Figure 14 (click to enlarge)

Save the settings and restart the Advanced Proxy by clicking the Save and restart button. From now on, only members of the given group will be able to access the proxy ...


advproxy © Copyright 2004-2008 by Marco Sondermann - Last update: 2008-03-09


Valid XHTML 1.0!   Valid CSS!