From UntangleWiki

Untangle Server User's Guide

Directory Connector

Other Links: Directory Connector Description Page Directory Connector Screenshots Directory Connector Forums Directory Connector FAQs

---

Contents 1 About Directory Connector 2 Settings 2.1 Status 2.2 Active Directory Connector 2.2.1 Active Directory Login Script 2.2.1.1 ADLS for the entire domain 2.2.1.2 ADLS for specific users 2.3 Supported Active Directory Configurations 2.3.1 Supported Server OS 2.3.2 Supported Client OS 2.4 RADIUS 3 Event Log 4 Related Topics 5 Directory Connector FAQs 5.1 What about shared IP addresses, like with a Terminal Server? 5.2 I only see 1000 usernames, but I have more users. Why? 5.3 I have followed all the steps and to best of my knowledge, installed it correctly. How come the logon script does not work?

About Directory Connector

Directory Connector enables Untangle to communicate with your directory services allowing creation of per-user policies and per-user reports. Directory Connector also supplies connectors for communicating with external directory services so that other apps (such as Captive Portal) can authenticate users against external directories. Directory Connector creates a mapping for usernames to IP address such that policies can be created per username/group and reports can be viewed by username. Directory Connector's connectors allow communicate with external directory services such as Active Directory or any directory service that supports RADIUS.

Settings

This section reviews the different settings and configuration options available for Directory Connector.

Status

This tab lists current IP addresses mapped to usernames by either the Active Directory Login Script or Captive Portal login. The IP address is mapped to the AD account name if using the AD script, AD account name if using login on Captive Portal, or the RADIUS account name if using Captive Portal

Active Directory Connector

The Active Directory connector tab contains settings for connecting and communicating with the Active Directory Server. The "Active Directory Test" tests these settings by communicating with the server.

After this is set correctly, other applications can use the connector to authenticate users using the Active Directory Server. Example: Captive Portal can be configured to authenticate logins using Active Directory.

Before you begin:

1. Ensure that your Active Directory users are in one domain. Users can be in multiple Active Directory Organizational Units (OUs), but must be under one domain. Multiple domains are not supported at this time.
2. If you are using your Active Directory server as your DNS server, ensure that your Untangle Server has it's external interface DNS setting configured to point at your Active Directory server.
3. The Active Directory server should added to the bypass list of Captive Portal if Captive Portal is used.

1. In the Active Directory (AD) Connector tab, select the Enabled radio button.
2. Provide the AD Server IP or internal hostname in the AD Server IP or Hostname field.
3. Specify the port on which the Untangle communicates with your Active Directory server (default is port 389). .
4. Provide the Active Directory domain name and the username and password for an administrator account (usually Administrator).
5. In the Active Directory Domain field, enter the AD name. The AD name is available from Active Directory tree
6. (Optional) Active Directory Organization. The Active Directory organization unit (OU) that contains the users.
   • If you want the Untangle Server to find all your users, do not type any value in the Active Directory Organizational field.
   • If, for some reason, you want to limit the users to a specific part of the Domain tree, specify the OU path. For example to include only users in the MyBusiness Organizational Unit the entry will be:

     OU=MyBusiness

   • If you want to limit the users more to just a specific end of the Domain tree, specify the entire OU path. For example to include only users in the MyBusiness Organizational Unit the entry will be:

     OU=MyBusiness,OU=Users,OU=IT

   
7. Click the Active Directory Test button. You will be asked to save your Settings. Click Continue.
   • If you receive a Success! message, you have successfully enabled access to the Active Directory Server.
   • If you receive a Failure! message, the Active directory test failed.
8. Click the Active Directory Users button. The Untangle Server outputs a list of users in the text box. If the list does not include users that expect:
   • Verify that you have the correct domain.
   • Verify that the you have the correct OU, if you specified an OU.
9. Click the Save button.

Active Directory Login Script

If you want to use the Username Map for per-user/group policies or per-user reports you can use the Active Directory Login Script.

The ADLS is a small script installed on your network clients using a group policy. Once installed on a client, the script starts each time the user logs on to the network and immediately notifies the Untangle Server that the user is on the network, and the Untangle remembers this IP address. Any activity for that IP address is automatically mapped to the user's username. This scripts runs on login and periodically in the background to keep the Directory Connector Username Map up to date with any login, logouts, IP changes, etc.

Before you begin: This procedure assumes that you are logged on to the Active Directory Server and are remotely logged on to the Untangle Server.

1. In the Active Directory (AD) Connector tab, click on the AD Login Script button. The Active Directory Login Script download page launches.
2. Click on the download link. The Active Directory login script now resides on your AD server. You need to install the script to the correct location. The file name is adlogon_user.vbs.
3. To apply AD login script for the entire domain. This methods uses a group policy to apply the AD login script to an entire domain and all OUs within that domain. Use this method if you have more than 10 users and newer Windows Server platform.
4. To apply AD login script for specific users. Use this method if you have 10 or less users and older Windows Server platform.

ADLS for the entire domain

1. Download Group Policy Management tool, which is installed by default in R2.
2. Log on to the domain controller (Active Directory Server), then launch the Group Policy Management tool by doing one of the following:
   • Start > Program files > Administrative Tools > Group Policy Management
   • From a command line prompt, run gpmc.msc.
3. Create the group policy:
1. From Group Policy Management, right-click on the domain and select Create and Link a GPO here. The New GPO dialogue box appears.
2. Specify a name for the group policy. Consider Untangle as part of the group policy name. The new group policy appears in the list of group policies.


Create Group Policy
4. Add the AD Login Script to the policy:
1. Right-click on the group policy that you just created, and click Edit.


Launch Edit Window
2. Go to User Configuration > Windows Settings > Scripts (Logon/Logoff). The Scripts (Logon/Logoff) window appears in the right frame.
3. Click on the Logon icon. The Logon Properties windows appears.
4. Click the Show Files button. A Windows Explore window launches.
5. Copy the adlogon_user.vbs file that you downloaded in Download Active Directory Login Script to this location.
6. Click the Add button, browse for the script, then click OK.
   

   

   Add AD Script To Policy
5. Apply users to the group policy:
1. In the Logon Properties window, click on the Add button, type a descriptive script name, then click OK.
2. In the Select User, Computer or Group window, select the OU or Group to which you want to apply this GPO.


Add Users To Policy
6. From a command line prompt, activate the group policy that you just created.

 gpupdate /force

ADLS for specific users

1. Log on to the domain controller (Active Directory Server), then save the adlogon_user.vbs file to \\localhost\\NETLOGIN.
2. Using an editor, create a local.bat file that has the following lines:

 @ echo off
 \\ADServerIPAddress\netlogon\adlogon_user.vbs

3. Save the local.bat file to \\localhost\\NETLOGON.
4. From the domain, go to the Users folder.
5. Right-click to user that requires the AD Login script. The Properties window appears.
6. Click the Profile tab and, in the Logon script field, type the name of the AD Login script.
7. Launch the Group Policy Management Console (GPMC), then launch the Group Policy Object Editor.
8. Copy the adlogon_user.vbs file that you downloaded in X to this location. You return to the Logon Properties window.

Supported Active Directory Configurations

The Untangle Server's Active Directory integration is designed to address the most common needs of small to medium sized businesses. Although the requirements below are very specific, they are easily met in most small to medium sized business computing environments.

Supported Server OS

AD Server OS	Support
Windows Server 2008	Yes*
Windows Small Business Server 2008	Yes*
Windows Small Business Server 2003	Yes
Windows Small Business Server 2003, R1	Yes
Windows Small Business Server 2003, R2	Yes
Windows Server 2003, Standard SP2	Yes
Windows Server 2003, Standard R2	Yes
Windows 2000 Server	Yes
Windows NT 4.0 Server	No

Note: For Windows Server 2008, if you've installed it with the strictest security settings, you must disable the signed LDAP security requirement. For more information, please follow the instructions here but disable the requirement instead. You should then run gpupdate /force on the server to update the group policy in effect.

Supported Client OS

• Windows 2000 Professional (5.0 SP4 Rollup 1 v2) or later
• Windows XP Professional SP2 (5.1.2600 Service Pack 2) or later
• Windows Vista (6.0 Build 6000) or later

RADIUS

The RADIUS connector enables authentication to directory services using the RADIUS protocol. Other applications such as Captive Portal can use the RADIUS connector to authenticate and identify users.

To configure RADIUS:

1. Open the Settings on Directory Connector and open the RADIUS tab
2. Click the 'Enabled' checkbox to enable the RADIUS connector
3. Enter the director server's IP in RADIUS Server IP or Hostname:
4. Enter the port to communicate with the directory server (default: 1812) in Port:
5. Enter the shared secret from the RADIUS Server in Shared Secret:
6. Select the Authentication Method supported by the server. Options are CLEARTEXT, PAP, CHAP
7. Test your setup using the RADIUS test.
8. Click the Save button.

After RADIUS is configure you can configure Captive Portal to use RADIUS authentication to validate usernames.

Event Log

There isn't one!

Related Topics

Active Directory

Directory Connector FAQs

What about shared IP addresses, like with a Terminal Server?

The Directory Connector works by mapping IP addresses to usernames, any IP address sharing will mean the Directory Connector will not be able to tell theses users apart. So, in the case of a Terminal Server using a shared IP address for all users, Directory Connector will not be able to distinguish any activity going through the Terminal Server among users.

There is some third party software available which can solve this issue.

• Quest-Software-VIP-IT

I only see 1000 usernames, but I have more users. Why?

Untangle can read more than 1000 users from AD, but AD must be configured to send more than 1000 users. Run these commands from the command prompt on the AD server to do enable AD to send up to 5000 users:

ntdsutil.exe
LDAP policies
Connections
Connect to server addomainname.local
Quit
Set MaxPageSize to 5000
Commit Changes
Quit
Quit

I have followed all the steps and to best of my knowledge, installed it correctly. How come the logon script does not work?

One way to check to see if your logon script is working or not is to check the status page to view the current user-to-IP map.

If you are seeing no entries after running the script manually or via the logon verify if untangle is in a bridge mode that your interfaces are not backwards.