Personal tools

Directory Connector

From UntangleWiki

Jump to: navigation, search
Image:DirectoryConnector_128x128.png     Directory Connector
Other Links:
Directory Connector Description Page
Directory Connector Screenshots
Directory Connector Forums
Directory Connector FAQs



Contents

About Directory Connector

Directory Connector enables Untangle to communicate with directory servers, such as Untangle's built-in Local Directory, Microsoft's Active Directory, or servers that support RADIUS. It maps usernames to IP addresses so that policies can be created by usernames (or groups with Active Directory) and Reports can be viewed by username.


Settings

This section reviews the different settings and configuration options available for Directory Connector.


Getting Started with Directory Connector

Before you being setting up, there are a few things to review:

  1. Ensure that your Active Directory users are in one domain. Users can be in multiple Active Directory Organizational Units (OUs), but must be under one domain - multiple domains are not supported at this time.
  2. If you're planning to use Captive Portal, the Domain Controller should be added to the Pass Listed Client Addresses list.
  3. Check to see if you have the Group Policy Management Console installed; if not, install it.
  4. If you're running Active Directory on Windows Server 2008, please see this FAQ entry on disabling the Signed LDAP requirement if you have installed with the strictest security settings.



Status

This tab lists current IP addresses mapped to usernames by either the Active Directory Login Script or Captive Portal. The authentication method is also displayed along with any group information.



Active Directory Connector

The Active Directory Connector tab contains settings for connecting and communicating with a Domain Controller. Other applications such as Captive Portal can use Directory Connector to authenticate and identify users against an existing Domain Controller.

  • AD Server IP or Hostname: The IP or hostname of the AD server - we recommend using the IP to prevent DNS issues.
  • Port: The port to use when connecting to the AD server. The default is 389.
  • Authentication Login: Enter an Active Directory Administrator login.
  • Authentication Password: Enter an Active Directory Administrator password.
  • Active Directory Domain: Your domain, (e.g. mycompany.local).
  • Active Directory Organization: The Active Directory organization unit (OU) that contains the users. If you want the Untangle Server to find all users, leave this blank.
If for some reason you want to limit the users to a specific part of the domain tree, specify the OU path in the format of OU=ouName. You can enter multiple OU's separated by a comma, such as OU=ouName1,OU=ouName2.

You can use the test tools to verify your settings and view an incomplete user list. After Active Directory is configured, you can configure Captive Portal to use it for authenticating users if you wish.



Active Directory Login Script

If you want to use the Username Map for per-user/group policies or per-user reports, you have two choices - the Active Directory Login Script (ADLS) and Captive Portal. If possible, we recommend using the ADLS as it will run automatically when users log in; when using Captive Portal they will have to enter their credentials to log in to Windows, then again to access the Internet.

The ADLS is a small script that is run by network computers upon login. Once installed, the script starts each time a user logs on to the network and immediately notifies Untangle of the username and IP address. Once this process is finished, any activity for that IP address will be automatically mapped to the username. This scripts runs on login and periodically in the background to keep the Directory Connector Username Map updated with any current information on your network users. To download the Active Directory Login Script, make sure that you are logged into Untangle's web GUI from the Domain Controller. On the Active Directory Connector tab of Directory Connector, click on the AD Login Script button and download the script.

Now that you have the ADLS on your Domain Controller, you need to decide if you want it run for all domain users or only for specific users.



ADLS for the entire domain

To apply ADLS to the your entire domain you'll need to set up a new Group Policy Object - please follow the instructions below.

  1. Log on to the Domain Controller, then launch the Group Policy Management Console (Start > Run: gpmc.msc).
  2. From the Group Policy Management Console, right-click on the domain and select Create and Link a GPO here.
  3. Specify a name for the Group Policy.
  4. Right-click on the group policy that you just created and click Edit.
  5. Go to User Configuration > Windows Settings > Scripts (Logon/Logoff).
  6. Click on the Logon icon, then Show Files. Windows Explorer will launch into the correct directory.
  7. Copy the adlogon_user.vbs file that you downloaded to this location.
  8. Click the Add button, browse for the script, then click OK.
  9. In the Logon Properties window, click Add , type a descriptive script name, then click ok.
  10. In the Select User, Computer or Group window, select the OU or Group to which you want to apply this GPO.
  11. From a command prompt, activate the group policy that you just created: gpupdate /force.

You can verify it is working by looking for users showing up in the Username Map on the Status tab.



ADLS for specific users

If you only want to use the ADLS for a few users, you can use these instructions:

1. Bring up Untangle's web GUI from the domain controller, then save the adlogon_user.vbs file to \\localhost\\NETLOGON.
2. Using a text editor, create a local.bat file that has the following lines: 
@ echo off
\\ADServerIPAddress\netlogon\adlogon_user.vbs
3. Save the local.bat file to \\localhost\\NETLOGON.
4. From the domain, go to the Users folder, right-click the user and go to Properties.
5. On the Profile tab, type the filename of the ADLS (probably adlogon_user.vbs) in the Logon script field.
6. Launch the Group Policy Management Console, then launch the Group Policy Object Editor (Start > Run: gpedit.msc).
7. Copy the adlogon_user.vbs file that you downloaded in the first step to this location.



RADIUS Connector

The RADIUS connector enables authentication to a directory using the RADIUS protocol. Other applications such as Captive Portal can use the RADIUS connector to authenticate and identify users against an existing RADIUS server.

  • RADIUS Server IP or Hostname: The IP or hostname of the RADIUS server - we recommend using the IP to prevent DNS issues.
  • Port: The port to use when connecting to the RADIUS server. The default is 1812.
  • Shared Secret: This must match the shared secret set on the RADIUS server.
  • Authentication Method: This must match the authentication method used by the RADIUS server.

You can use the test tool to verify your settings. After RADIUS is configured, you can configure Captive Portal to use it for authenticating users if you wish.


Event Log

There isn't one!


Related Topics

Policy Manager

Captive Portal

Active Directory


Directory Connector FAQs

The ADLS never completes or isn't working. Why?

You'll need to make sure Domain Controller has the following settings: 

ComputerConf > Policies > Admin Templates > System > Scripts
- Run logon scripts synchronously =  disabled
- Run startup scripts asynchronously = enabled

UserConf > Policies > Admin Templates > System > Scripts
- Run logon scripts synchronously = disabled

One user solved his issue by adding the script here: 

UserConf > Policies > Administrative Templates > System > Logon > Run These Programs at System Logon


What about shared IP addresses, like with a Terminal Server?

The Directory Connector works by mapping IP addresses to usernames; any IP address sharing will mean the Directory Connector will not be able to tell theses users apart. After some testing, we've seen that a product called Virtual IP when paired with Captive Portal allows these users to be differentiated and become subject to policies and filtering. This has not been tested with the login script - we'll update this entry when we have more information. Virtual IP is only available as a part of the Thinomenon Access Suite.


Why can I only see 1000 users?

Untangle can read more than 1000 users from Active Directory, however your AD server must be configured to send more than 1000 users. Run these commands from the command prompt on the AD server to send up to 5000 users: 

ntdsutil.exe
LDAP policies
Connections
Connect to server addomainname.local
Quit
Set MaxPageSize to 5000
Commit Changes
Quit
Quit


The Active Directory Login Script is still not working - what can I do?

One way to check to see if your logon script is working or not is to check the status page to view the current Username Map. If you are seeing no entries after running the script manually, edit the script and make sure the internal IP of Untangle is listed. If you're in bridge mode, make sure Administrator Alerts isn't telling you your bridge is backwards.


Does the GPMC (Group Policy Management Console) work with a 64bit OS?

Not officially - please check out this link or contact Microsoft for more information.


Why are my Security Groups not showing up?

Security Groups will not be displayed when using the Active Directory Users button in the settings, but they will be displayed when selecting users in the Policy Manager. Only Security Groups will be shown, not OUs.


I'm authenticating Captive Portal users against Active Directory, but no names show up in the Username Map. Why?

Captive Portal must go into the rack after Directory Connector to properly work - this refers to the order in which they are installed into the rack, not the order they appear in the rack. If you're seeing this issue, simply remove Captive Portal to the rack, then add it back into the rack and reconfigure it. The next time a user logs in through it, they should correctly populate on the Username Map.


Can I use the ADLS with my OSX machines?

While Untangle does not directly support this, one of our users has adapted some existing scrips to provide the same functionality. You can find more information on our forums here.


Is this supported with all versions of Active Directory?

For clients running the ADLS, any version of Windows XP or newer should work. For servers, please see the table below. If you're running Windows Server 2008 and you've installed it with the strictest security settings, you must disable the signed LDAP security requirement. Microsoft has an article for enabling the feature here, however for our purposes it must be disabled. You should then run gpupdate /force on the server to update the current group policy.

AD Server OS Support
Windows Server 2008 Yes
Windows Small Business Server 2008 Yes
Windows Small Business Server 2003 Yes
Windows Small Business Server 2003 R1 Yes
Windows Small Business Server 2003 R2 Yes
Windows Server 2003, Standard SP2 Yes
Windows Server 2003, Standard R2 Yes
Windows 2000 Server Yes
Windows NT 4.0 Server No


I don't know what to enter in the fields!

You can use the image below to get the information directly from your server, however we highly recommend contacting your Active Directory administrator to assist you in setting this up.

Retrieved from "http://wiki.untangle.com/index.php/Directory_Connector"