Go to the table of contents Go to the previous page Go to the next page View or print as PDF
LDAP authentication
Help | Content Gateway | v8.5.x
Content Gateway supports the LDAP option to ensure that users are authenticated with an LDAP server before accessing content through the proxy.
Important 
If rule-based authentication will be used, configure LDAP authentication through the Rule-Based Authentication option. However, read this section to become familiar with LDAP features and restrictions.
When LDAP is enabled:
*
*
*
*
*
LDAP authentication supports both simple and anonymous bind.
LDAP user authentication can support passwords containing special characters. Configuration is made directly in the records.config file. The following parameter must be enabled, and the correct encoding name to which the special characters belong must be configured. Add these entries to records.config. Note that the default setting is 0 (feature disabled).
// To enable the feature specify 1.
CONFIG proxy.config.ldap.proc.encode_convert INT <1 or 0>
// Specify an encoding name here. For example,
// for German specify "ISO-8859-1".
CONFIG proxy.config.ldap.proc.encode_name STRING <encoding name>
Configuring Content Gateway to be an LDAP client
1.
Go to Configure > My Proxy > Basic > General.
2.
In the Authentication section, click LDAP On, and then click Apply.
3.
4.
Go to Configure > Security > Access Control > LDAP.
5.
6.
 
Note 
7.
Enable Secure LDAP if you want the proxy to use secure communication with the LDAP server. Secure communication is performed on port 636 or 3269. Change the port value in the previous field, if necessary.
8.
*
Microsoft Active Directory (sAMAccountName) sets the type to sAMAccountName (default).
*
Microsoft Active Directory (userPrincipalName) sets the type to userPrincipalName.
*
Other sets the type to uid for eDirectory or other directory services.
9.
Enter the Bind Distinguished Name (fully qualified name) of a user in the LDAP-based directory service. For example:
CN=John Smith,CN=USERS,DC=MYCOMPANY,DC=COM
Enter a maximum of 128 characters in this field.
If no value is specified for this field, the proxy attempts to bind anonymously.
10.
11.
Enter the Base Distinguished Name (DN). Obtain this value from your LDAP administrator.
12.
Click Apply.
13.
Click Restart on Configure > My Proxy > Basic > General.
As optional steps, you can:
*
*
Setting LDAP cache options
By default, the LDAP cache is configured to store 5000 entries and each entry is considered fresh for 3000 minutes. Change these options by editing the records.config file.
1.
Open the records.config file located in /opt/WCG/config.
2.
 
When modifying this value, you must update the value of proxy.config.ldap.cache.size proportionally. For example, if you double the storage size, also double the cache size.
Modifying this variable without modifying proxy.config.ldap.cache.size causes the LDAP subsystem to stop functioning.
3.
4.
From the Content Gateway bin directory (/opt/WCG/bin), run content_line -L to restart the proxy on the local node or content_line -M to restart the proxy on all the nodes in a cluster.
Configuring secure LDAP
By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA.
To use LDAPS with Content Gateway:
1.
Open the records.config file located in /opt/WCG/config.
2.
CONFIG proxy.config.ldap.secure.bind.enabled INT 1
3.
Navigate to Configure > Security > Access Control > LDAP and change the port to 3269.
 
Note 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2020 Forcepoint. All rights reserved.