Configuring Active Directory Or LDAP Authentication And Defining User Or Group Based Access With SafeSquid

This tutorial explains how you can integrate an Active Directory or LDAP with SafeSquid for user authentication, and create granular user or group based access policies. This tutorial applies to both, Linux and Windows editions.

The 'LDAP configuration' section in SafeSquid for Linux, version ntlm-RC.x, and Windows version 3.x.x.x, allow you to easily configure an Active Directory or LDAP from it's Web GUI, for user access and authentication. These versions also allow you to create rules under 'Access Restriction' section, to allow access to specific users or user-groups on the AD / LDAP, and apply them different profiles, which can then be used in the various SafeSquid filtering sections, to specify what is allowed or blocked to each user or group.

Configuring AD / LDAP

This tutorial explains how to configure an Active Directory with IP address 192.168.0.1 and domain name oe2000.com. A user account on AD is required for communication, in this case sachin with account sachin@oe2000.com is used. This can be any user account, not necessarily an administrative account, or you can also create a new user on the AD, e.g. safesquid.

In the SafeSquid Interface, go to Config >> LDAP Configuration.
Enable the section by selecting Enabled as Yes, and clicking on the Submit button.
Click on Add under the Entries for processing Ldap profile subsection, and add a rule as shown below:

Note that the Ldap Password of user sachin is an encrypted one. Before creating the rule, click on Encrypt Password link in the top menu of the Interface, encrypt the password, and copy-paste the encrypted password in the above rule.

Once this rule is created, save the changes by clicking on Save settings in the top menu. Restart SafeSquid service after saving settings.

Now to test if SafeSquid is able to communicate with the Active Directory, click on Show LDAP Groups in the top menu of the Interface. In the screen that appears, leave the Ldap search field blank, and click on the Submit button below it. This should list the Active Directory users and groups, as shown in the figure below.

 You can use this section to search for any specific user or group on the AD, and get the details. For example, if you enter 'sachin' in the Ldap search field above and click on the Submit button, you should get a screen similar to the figure below.

Defining users / groups and applying profiles

Once your AD / LDAP is configured, you can define user / group access from Access Restrictions  section in the SafeSquid Interface.
Go to Config > Access Restriction
To allow access to specific users, click on Add under Allow subsection, and create a rule as shown in the figure below.

Note that you need to enable PAM Authentication in the Linux edition, in place of System Authentication, which is the option available in Windows editions.

Specify the users that you want to allow access in the User name field, as shown in the above figure. This is a regular expression that specifies that the user name should be either 'sachin' or 'satish' or 'santosh'. If you would like to allow access to all users on the AD, leave this field blank.

Specify the profile that you would like to apply to these users in the Added profiles field. This profile can then be used in other filtering sections, to define what is allowed / blocked to these users.

You can create multiple rules with different users, and apply them different Added Profiles, effectively creating different User-Groups, and later use their 'Added Profile' for defining what is allowed / blocked for each group. Note that a user name can not be used in multiple rule. The first rule that matches a user will be applied.

If you would like to allow access to all the members of a specific OU on the AD, create a rule as shown in the figure below.

 Note that you do not need to specify user names if you would like to allow access to all the members of the specified OU. If you specify user names, only those users from the OU will be allowed access.

You can create multiple rules for different OUs, and apply them different Added Profiles. This will allow you to define granular policies for each OU memebers.

Download: You can download SafeSquid free editions from here.

Also see: Other tutorial for SafeSquid 

This page is licensed under a Creative Commons License.