LDAP authentication

Support

Go to the table of contents

Go to the previous page

Go to the next page

Go to the index

View or print as PDF

Security > Proxy user authentication > LDAP authentication

LDAP authentication

Help | Content Gateway | Version 7.7.3

Content Gateway supports the LDAP option to ensure that users are authenticated with an LDAP server before accessing content through the proxy.


	Important In environments with multiple realms (domains that do not share trust relationships), configure LDAP authentication through the Multiple realm authentication option.

When the LDAP option is enabled, the proxy acts as an LDAP client and directly challenges users who request content for a username and password. After receiving the username and password, the proxy contacts the LDAP server to check that the credentials are correct. If the LDAP server accepts the username and password, the proxy serves the client with the requested content and stores the username and password in the Content Gateway LDAP cache; all future authentication requests for that user are served from the LDAP cache until the cache entry expires. If the LDAP server rejects the username and password, the user's browser displays a message indicating that authorization failed and prompts again for a username and password.

LDAP authentication supports both simple and anonymous bind.

Configuring Content Gateway to be an LDAP client

1.	Navigate to Configure > My Proxy > Basic > General.

2.	In the Authentication section, click LDAP On, and then click Apply.

3.	Navigate to Configure > Security > Access Control > LDAP.

4.	Enable Purge Cache on Authentication Failure to configure the proxy to delete the authorization entry for the client from LDAP cache if authorization fails.

5.	Enter the hostname of the LDAP server.

6.	Enter the port on which Content Gateway communicates with the LDAP server. The default is port 389.


	Note When the LDAP directory service is Active Directory, requests from users located outside the global catalog's base domain will fail to authenticate. This is because the default port for LDAP is 389 and requests sent to 389 search for objects only within the global catalog's base domain. To authenticate users from outside the base domain, change the LDAP port to 3268. Requests sent to 3268 search for objects in the entire forest.

7.	Enable Secure LDAP if you want the proxy to use secure communication with the LDAP server. Secure communication is performed on port 636 or 3269. Change the port value in the previous field, if necessary.

8.	Select the type of your directory service to set the filter for searching. The default is sAMAccountName for Active Directory. Select uid for eDirectory or other directory services.

9.	Enter the Full Distinguished Name (fully qualified name) of a user in the LDAP-based directory service. For example:

CN=John Smith,CN=USERS,DC=MYCOMPANY,DC=COM

Enter a maximum of 128 characters in this field.

If no value is specified for this field, the proxy attempts to bind anonymously.

10.	Enter a password for the user specified in the previous step.

11.	Enter the Base Distinguished Name (DN). Obtain this value from your LDAP administrator.

12.	Click Apply.

13.	Click Restart on Configure > My Proxy > Basic > General.

As optional steps, you can:

Change LDAP cache options. See Setting LDAP cache options.

Configure Content Gateway to allow certain clients to access specific sites on the Internet without being authenticated by the LDAP server. See Access Control).

Configure an alternate Content Gateway hostname for authentication, set the Authentication Mode (IP Mode or Cookie Mode), and set the session time-to-live period. See Transparent proxy authentication settings.

Setting LDAP cache options

By default, the LDAP cache is configured to store 5000 entries and each entry is considered fresh for 3000 minutes. Change these options by editing the records.config file.

1.	Open the records.config file located in the Content Gateway config directory (/opt/WCG/config).

2.	Edit the following variables:


Variable	Description
proxy.config.ldap.cache.size	Specify the number of entries allowed in the LDAP cache. The default value is 5000. The minimum value is 256.
proxy.config.ldap.auth.ttl_value	Specify the number of minutes that Content Gateway can store username and password entries in the LDAP cache.
proxy.config.ldap.cache. storage_size	Specify the maximum amount of space (in bytes) that the LDAP cache can occupy on disk. When modifying this value, you must update the value of proxy.config.ldap.cache.size proportionally. For example, if you double the storage size, also double the cache size. Modifying this variable without modifying proxy.config.ldap.cache.size causes the LDAP subsystem to stop functioning.

3.	Save and close the file.

4.	From the Content Gateway bin directory (/opt/WCG/bin), run content_line -L to restart the proxy on the local node or content_line -M to restart the proxy on all the nodes in a cluster.

Configuring secure LDAP

By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA.

To use LDAPS with Content Gateway:

1.	Open the records.config file located in the Content Gateway config directory (/opt/WCG/config).

2.	Add following entry to records.config:

CONFIG proxy.config.ldap.secure.bind.enabled INT 1

3.	Navigate to Configure > Security > Access Control > LDAP and change the port to 3269.


	Note The Directory Service must be configured to support LDAPS authentication. Please refer to the documentation provided by your directory provider for instructions.

Go to the table of contents

Go to the previous page

Go to the next page

Go to the index

View or print as PDF

Security > Proxy user authentication > LDAP authentication