LDAP authentication

Content Gateway supports the LDAP option to ensure that users are authenticated with an LDAP server before accessing content through the proxy.


	Important If rule-based authentication will be used, configure LDAP authentication through the Rule-Based Authentication option. However, read this section to become familiar with LDAP features and restrictions.

When LDAP is enabled:

Content Gateway acts as an LDAP client and directly challenges users who request content for a username and password.

After receiving the username and password, Content Gateway contacts the LDAP server to check that the credentials are correct.

If the LDAP server accepts the username and password, the proxy serves the client the requested content and stores the username and password in the credential cache.

Future authentication requests for that user are served from the cache until the cache entry expires (Time-To-Live value).

If the LDAP server rejects the username and password, the user's browser displays a message indicating that authorization failed and prompts again for a username and password.

LDAP authentication supports both simple and anonymous bind.

LDAP user authentication can support passwords containing special characters. Configuration is made directly in the records.config file. The following parameter must be enabled, and the correct encoding name to which the special characters belong must be configured. Add these entries to records.config. Note that the default setting is 0 (feature disabled).

// To enable the feature specify 1.

CONFIG proxy.config.ldap.proc.encode_convert INT <1 or 0>

// Specify an encoding name here. For example,
// for German specify "ISO-8859-1".

CONFIG proxy.config.ldap.proc.encode_name STRING <encoding name>

Configuring Content Gateway to be an LDAP client

Go to Configure > My Proxy > Basic > General.

In the Authentication section, click LDAP On, and then click Apply.

Configure the Global authentication options.

Go to Configure > Security > Access Control > LDAP.

Enter the hostname of the LDAP server.

Enter the port on which Content Gateway communicates with the LDAP server. The default is port 389.


	Note When the LDAP directory service is Active Directory, requests from users located outside the global catalog's base domain will fail to authenticate. This is because the default port for LDAP is 389 and requests sent to 389 search for objects only within the global catalog's base domain. To authenticate users from outside the base domain, change the LDAP port to 3268. Requests sent to 3268 search for objects in the entire forest.

Enable Secure LDAP if you want the proxy to use secure communication with the LDAP server. Secure communication is performed on port 636 or 3269. Change the port value in the previous field, if necessary.

Select the type of directory service to set the filter for searching.

Microsoft Active Directory sets the type to sAMAccountName (default).

Other sets the type to uid for eDirectory or other directory services.

Enter the Bind Distinguished Name (fully qualified name) of a user in the LDAP-based directory service. For example:

CN=John Smith,CN=USERS,DC=MYCOMPANY,DC=COM

Enter a maximum of 128 characters in this field.

If no value is specified for this field, the proxy attempts to bind anonymously.

10.

Enter a password for the user specified in the previous step.

11.

Enter the Base Distinguished Name (DN). Obtain this value from your LDAP administrator.

12.

Click Apply.

13.

Click Restart on Configure > My Proxy > Basic > General.

As optional steps, you can:

Change LDAP cache options. See Setting LDAP cache options.

Configure Content Gateway to allow certain clients to access specific sites on the Internet without being authenticated by the LDAP server. See Access Control).

Setting LDAP cache options

By default, the LDAP cache is configured to store 5000 entries and each entry is considered fresh for 3000 minutes. Change these options by editing the records.config file.

Open the records.config file located in /opt/WCG/config.

Edit the following variables:


Variable	Description
proxy.config.ldap.cache.size	Specify the number of entries allowed in the LDAP cache. The default value is 5000. The minimum value is 256.
proxy.config.ldap.auth.ttl_value	Specify the number of minutes that Content Gateway can store username and password entries in the LDAP cache.
proxy.config.ldap.cache. storage_size	Specify the maximum amount of space (in bytes) that the LDAP cache can occupy on disk. When modifying this value, you must update the value of proxy.config.ldap.cache.size proportionally. For example, if you double the storage size, also double the cache size. Modifying this variable without modifying proxy.config.ldap.cache.size causes the LDAP subsystem to stop functioning.

Save and close the file.

From the Content Gateway bin directory (/opt/WCG/bin), run content_line -L to restart the proxy on the local node or content_line -M to restart the proxy on all the nodes in a cluster.

Configuring secure LDAP

By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA.

To use LDAPS with Content Gateway:

Open the records.config file located in /opt/WCG/config.

Add following entry to records.config:

CONFIG proxy.config.ldap.secure.bind.enabled INT 1

Navigate to Configure > Security > Access Control > LDAP and change the port to 3269.


	Note The Directory Service must be configured to support LDAPS authentication. See to the documentation provided by the directory provider for instructions.