From UntangleWiki

Untangle Server User's Guide

Directory Connector

Other Links: Directory Connector Description Page Directory Connector Screenshots Directory Connector Forums Directory Connector FAQs

About Directory Connector

Directory Connector enables Untangle to communicate with your directory services allowing creation of per-user policies and per-user reports. Directory Connector also supplies connectors for communicating with external directory services so that other apps (such as Captive Portal) can authenticate users against external directories.

Directory Connector creates a mapping for usernames to IP address such that policies can be created per username/group and reports can be viewed by username.

Directory Connector's connectors allow communicate with external directory services such as Active Directory or any directory service that supports RADIUS.

Username Map

Directory Connector maintains a list of active IP addresses and their equivalent usernames. This map can be built using different methods such as the Active Directory Login Script or Captive Portal. Each method adds a new entry to the map once a user in authenticated such that policy rules using username then match the traffic coming from that IP address. Also, all information written to the database now is associated with that username, such that reports allow viewing actions by username even when users are moving around on the network.

• Note that because the Username Map works by mapping IP addresses to usernames, any IP address sharing among users will mean that they cannot be distinguished from each other. For example, some Terminal Server implementations use a shared IP address for all users logged into the Terminal Server. The Username Map will not be able to tell these users apart for any activity that takes place through the Terminal Server as it all comes from one IP address.

Connectors

Active Directory

The Active Directory connector contains settings for connecting and communicating with the Active Directory Server. The "Active Directory Test" tests these settings by communicating with the server.

After this is set correctly, other applications can use the connector to authenticate users using the Active Directory Server. Example: Captive Portal can be configured to authenticate logins using Active Directory.

To configure Active Directory:

Before you begin:

1. Ensure that your Active Directory users are in one domain. Users can be in multiple Active Directory Organizational Units (OUs), but must be under one domain. Multiple domains are not supported at this time.
2. If you are not using the Untangle Server as your DNS server, ensure that your Untangle Server has a static WAN IP address from your Internet Service Provider.

Configuration:

1. Determine Active Directory's default port for TCP traffic. The Active Directory server and Untangle must be able to communicate. By Default, Active Directory communicates on port 389, so Untangle is configured by default to communicate with Active Directory on port 389.
   • If Active Directory's default port is 389, open port 389.
   • If port 389 is being used by another server, change and open the Active Directory's default port, then proceed to the next step to access the Untangle Server and change the default port on the Untangle Server.
2. From DIrectory Connector, click the Show Settings button.
3. In the Active Directory (AD) Connector tab, select the Enabled radio button.
4. Provide the AD Server IP in the Host field.
5. Specify the port on which the Untangle communicates with your Active Directory server. You identified this port in Step 1.
6. Provide the Active Directory domain name and the username and password for an administrator account. Authentication login requires administrator privileges. The Untangle Server traverses the entire domain to locate the account that you specify, so the account can reside in any folder, and you don't need to specify which folder. The Untangle Server automatically finds the account that you specify.
7. Click the Active Directory Test button. You will be asked to save your Settings. Click Continue.
   • If you receive a Success! message, you have successfully enabled access to the Active Directory Server.
   • If you receive a Failure! message, the Active directory test failed.
8. Active Directory Domain. The ADS domain name.
9. (Optional) Active Directory Organization. The Active Directory organization unit (OU) that contains the users.
   • If you want the Untangle Server to find all your users, do not type any value in the Active Directory Organizational field.
   • If, for some reason, you want to specify the OU and your users reside in more than one location, specify the highest folder for the OU. To include only the users under SBSUsers OU:

   OU=SBSUsers,OU=Users,OU=MyBusiness

   

   

   Multiple AD OUs
10. Click the Active Directory Users button. The Untangle Server outputs a list of users in the text box. If the list does not include users that expect:
    • Verify that you have the correct domain.
    • Verify that the you have the correct OU, if you specified an OU.

Active Directory Login Script

If you want to use the Username Map for per-user/group policies or per-user reports you can use the Active Directory Login Script.

The ADLS is a small script installed on your network clients using a group policy. Once installed on a client, the script starts each time the user logs on to the network and immediately notifies the Untangle Server that the user is on the network, and the Untangle remembers this IP address. Any activity for that IP address is automatically mapped to the user's username. This scripts runs on login and periodically in the background to keep the Directory Connector Username Map up to date with any login, logouts, IP changes, etc.

Download Active Directory Login Script

This procedure assumes that you are logged on to the Active Directory Server and are remotely logged on to the Untangle Server.

1. From the User Directory Config window, click on the AD Lookup Script button. The Active Directory Login Script download page launches.
2. Click on the download link. The Active Directory login script now resides on your AD Server. Now you need to install the script to the correct location. The file name is adlogon_user.vbs.

Install Active Directory Login Script

All network clients need to access Active Directory Login Script (ADLS), but you don't need to install the ADLS script on every network client. Simply install the ADLS script on the Active Directory Server, then create a group policy that forces users to execute this script each time they log on to the network. This way the user can't accidentally delete the script and its easier to update the script if it changes. There are two ways to install the AD login script:

• To apply AD login script for entire domain. This methods uses a group policy to apply the AD login script to an entire domain and all OUs within that domain. Use this method if you have more than 10 users and newer Windows Server platform.
• To apply AD login script for specific users. Use this method if you have 10 or less users and older Windows Server platform.

Before You Begin: Download the Active Directory login script.

1. Download Group Policy Management tool, which is installed by default in R2.
2. Log on to the domain controller (Active Directory Server), then launch the Group Policy Management tool by doing one of the following:
   • Start > Program files > Administrative Tools > Group Policy Management
   • From a command line prompt, run gpmc.msc.
3. Create the group policy:
1. From Group Policy Management, right-click on the domain and select Create and Link a GPO here. The New GPO dialogue box appears.
2. Specify a name for the group policy. Consider Untangle as part of the group policy name. The new group policy appears in the list of group policies.


Create Group Policy
4. Add the AD Lookup Script to the policy:
1. Right-click on the group policy that you just created, and click Edit.


Launch Edit Window
2. Go to User Configuration > Windows Settings > Scripts (Logon/Logoff). The Scripts (Logon/Logoff) window appears in the right frame.
3. Click on the Logon icon. The Logon Properties windows appears.
4. Click the Show Files button. A Windows Explore window launches.
5. Copy the adlogon_user.vbs file that you downloaded in Download Active Directory Login Script to this location.
6. Click the Add button, browse for the script, then click OK.
   

   

   Add AD Script To Policy
5. Apply users to the group policy:
1. In the Logon Properties window, click on the Add button, type a descriptive script name, then click OK.
2. In the Select User, Computer or Group window, select the OU or Group to which you want to apply this GPO.


Add Users To Policy
6. From a command line prompt, activate the group policy that you just created.

 gpupdate /force

1. Log on to the domain controller (Active Directory Server), then save the adlogon_user.vbs file to \\localhost\\NETLOGIN.
2. Using an editor, create a local.bat file that has the following lines:

 @ echo off
 \\ADServerIPAddress\netlogon\adlogon_user.vbs

3. Save the local.bat file to \\localhost\\NETLOGON.
4. From the domain, go to the Users folder.
5. Right-click to user that requires the AD Login script. The Properties window appears.
6. Click the Profile tab and, in the Logon script field, type the name of the AD Login script.
7. Launch the Group Policy Management Console (GPMC), then launch the Group Policy Object Editor.
8. Copy the adlogon_user.vbs file that you downloaded in X to this location. You return to the Logon Properties window.

Supported Active Directory Configurations

The Untangle Server's Active Directory integration is designed to address the most common needs of small to medium sized businesses. Although the requirements below are very specific, they are easily met in most small to medium sized business computing environments.

Supported Server OS

Note: For Windows Server 2008, if you've installed it with the strictest security settings, you must disable the signed LDAP security requirement. For more information, please follow the instructions here but disable the requirement instead. You should then run gpupdate /force on the server to update the group policy in effect.

Supported Client OS

• Windows 2000 Professional (5.0 SP4 Rollup 1 v2) or later
• Windows XP Professional SP2 (5.1.2600 Service Pack 2) or later
• Windows Vista (6.0 Build 6000) or later

RADIUS

The RADIUS connector enables authentication to directory services using the [RADIUS http://en.wikipedia.org/wiki/RADIUS] protocol. Other applications such as [Captive Portal] can use the RADIUS connector to authenticate and identify users.

To configure RADIUS:

1. Open the Settings on Directory Connector and open the RADIUS tab
2. Click the 'Enabled' checkbox to enable the RADIUS connector
3. Enter the director server's IP in RADIUS Server IP or Hostname:
4. Enter the port to communicate with the directory server (default: 1812) in Port:
5. Enter the shared secret from the RADIUS Server in Shared Secret:
6. Select the Authentication Method supported by the server. Options are CLEARTEXT, PAP, CHAP
7. Test your setup using the RADIUS test.

After RADIUS is configure you can configure Captive Portal to use RADIUS authentication to validate usernames.

Related Topics

• Captive Portal

Directory Connector FAQs

Direcotry Connector FAQs