Creating an LDAP authentication realm rule

Security > Proxy user authentication > Multiple realm authentication > Creating an LDAP authentication realm rule

Creating an LDAP authentication realm rule

Help | Content Gateway | Version 7.7.3

Before you create an LDAP authentication realm rule, you need to know:

The set of client IP addresses to send to the LDAP server. These can be a mix of individual IP addresses and IP address ranges.

And/or the unique port number on which traffic is inbound (explicit proxy only).

And/or the Request header User-Agent values that this rule applies to.

Or a combination of the above (proxy port is explicit proxy only).

The name and port number of the LDAP server.

The LDAP base distinguished name.

The LDAP bind distinguished name and password.

Optionally, an LDAP attribute name and value.


	Note After entering all specifiers, you must click Add before you click Apply. If Apply is clicked first, or the edit window is closed, all entry fields are cleared. The size of a rule cannot exceed 512 characters.

1.	If Content Gateway is a transparent proxy, go to Configure > Security > Access Control and review and adjust the Transparent Proxy Authentication settings.

2.	Go to Configure > Security > Access Control > Authentication Realms. A list of all existing authentication realm rules is displayed at the top of the page.

3.	Click Edit file to open the rule editor.

4.	Select LDAP from the Rule Type drop down list.

5.	Select Enable if you want the rule to be active when the rule definition process is complete.

6.	Give the rule a unique Rule Name. A short, descriptive name makes administration of rules easier

7.	If the rule is to be applied to specific IP addresses, in the Source IP field, enter a comma-separated list of individual IP addresses and IP address ranges. Do not use spaces. For example:

10.4.1.1,10.12.1.1-10.12.254.254

Source IP address ranges can overlap. Overlapping ranges may be useful as a quick way of identifying sub-groups in a large pool.

In overlapping ranges, the first match is used.

8.	To apply the rule to specific User-Agent values, enter POSIX-compliant regular expressions to match the desired values. To specify a common browser type, select a predefined regex from the drop down list and click Add.

When the field is empty, all User-Agents match.

You can edit the field directly.

Use the "|" character (logical 'or') to separate regexes.

The "^" regex operator is not supported.

When the rule is added or updated with the Add or Set button, the regex is validated. If the regex is not valid, the rule is not added or modified.

For an extended description and examples, see Authentication based on User-Agent.

9.	If the rule is for traffic coming in on a specific port, select the Proxy Port from the drop down list. This option is valid with explicit proxy only.

10.	Cookie Mode Caching: When users are NATed or are routed through a proxy chain, resulting in multiple users with the same IP address, you can enable Cookie Mode Caching to identify unique users and cache their credentials.


	Note IP address caching is recommended when users have unique IP addresses.

Several special requirements and limitations apply:

For transparent deployments, Redirect Hostname must be defined on the Configure > Security > Access Control > Transparent Proxy Authentication tab.

When the browser is Internet Explorer, the full proxy hostname in the form "http://host.domain.com" must be added to the Local intranet zone.

When the browser is Chrome, it must be configured to allow third-party cookies (this is not set by default), or configured for an exception to allow cookies from the proxy hostname in the form "host.domain.com".

When the IP address is set for Cookie Mode and the request method is CONNECT, no caching is performed.

When this option is disabled, LDAP caching is based on settings in records.config. See Setting LDAP cache options.


	Note Cookie mode caching does not work with applications that do not support cookies, or with browsers in which cookie support has been disabled.

11.

To specify an alias name to send to Filtering Service, open Advanced Settings and select Aliasing. In the field, specify the name to use. If no name is specified (the entry field is left blank), Web Security will behave as configured when servicing requests that do not include a user name. For more information about aliasing, see Unknown users and the 'alias' option.

12.	In the LDAP Server Name field, enter the fully qualified domain name and port number, or IP address of the LDAP server.

13.	If the LDAP server port is other than the default (389), in the LDAP Server Port field, enter the LDAP server port.

14.	Enter the LDAP Base Distinguished Name. Obtain this value from your LDAP administrator.

15.	Optionally, enter the LDAP UID filter. Use this field to specify the server type when it differs from the Server Type value specified on the LDAP tab (the default value). Enter sAMAccountName for Active Directory, or uid for any other service.

16.	In the Bind DN field, enter the bind distinguished name. This must be a Full Distinguished Name of a user in the LDAP directory service. For example:

CN=John Smith,CN=USERS,DC=MYCOMPANY,DC=COM

17.	In the Bind Password field, enter the password for the name given in the Bind DN field.

18.	Check Secure LDAP if you want Content Gateway to use secure communication with the LDAP server.

19.	Optionally, enter an LDAP attribute name.

20.	Optionally, enter an LDAP attribute value.

21.	Click Add to add the rule.

22.	At the top of the page, check and adjust the position of the rule in the rule list. The first rule matched is applied.

23.	Click Apply and then restart Content Gateway to put the rule into effect.


	Warning If a rule has invalid values, a warning message displays that identifies the invalid rule.

Security > Proxy user authentication > Multiple realm authentication > Creating an LDAP authentication realm rule

Support

Search

Article Rating:

Related Articles

Quick Links

Service Requests

How are we doing?