Astaro User Bulletin Board
Go Back   Astaro User Bulletin Board > Astaro Gateway Products > Web Security: HTTP/HTTPS/FTP, IM/P2P, Web Filtering and Antivirus
Reload this Page A possible solution to Astaro's SSO AD shortcomings
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Welcome to the Astaro User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Page 1 of 2 1 2
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 10-18-2008, 04:51 PM
Wizard
  
Join Date: May 2003
Location: Brunswick, Maryland, USA
Posts: 2,667
Default A possible solution to Astaro's SSO AD shortcomings
Likewise Open Source Software that Authenticates Linux, Unix, and Mac systems with Microsoft Active Directory

This would allow astaro to fully integrate with AD and be truly SSO capable. It's gpl 3 to boot so it's truly free..
Last edited by William; 10-18-2008 at 04:55 PM.
Reply With Quote
  #2 (permalink)  
Old 10-18-2008, 07:54 PM
svens's Avatar
Senior Member
  
Join Date: Nov 2005
Posts: 260
Default
Quote:
Originally Posted by William View Post
Likewise Open Source Software that Authenticates Linux, Unix, and Mac systems with Microsoft Active Directory

This would allow astaro to fully integrate with AD and be truly SSO capable. It's gpl 3 to boot so it's truly free..
Could you describe in a few words what Astaro's shortcomings are? Will consider that information for future versions.

Cheers,

Sven.
__________________
Sven Schnelle
Software Architect
Astaro AG
Reply With Quote
  #3 (permalink)  
Old 10-18-2008, 09:53 PM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 5,390
Thumbs up My only complaint is with the documentation.
I know from earlier threads that AD SSO used to be quirky, so I had avoided it in the past. Recent reports were that it works fine. I'm cooling my heels waiting for my wife to get ready, so I just tried it on our setup at work.

Perfect!

My only complaint is with the documentation. The importance of the 'Base DN' assignment is not clarified. I was frustrated that I had to create new groups in my AD 'Users' group instead of being able to use other groups we already had in place. Of course, all I had to do was decrease the specificity of the Base DN, but it had been so long ago that I set up AD Authentication, I had forgotten it was there.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Reply With Quote
  #4 (permalink)  
Old 10-19-2008, 04:22 PM
Wizard
  
Join Date: May 2003
Location: Brunswick, Maryland, USA
Posts: 2,667
Default
When you join the domain if you create a member on the AD server that information is NOT passed to the astaro. The Astaro will not automatically create users in concert with the AD server. If i am wrong let me know but i have one astaro connected to AD and it doesn't auto populate users. I was told in an earlier thread this is by design and it is not an astaro issue hence my sugestion above.
Reply With Quote
  #5 (permalink)  
Old 10-19-2008, 05:04 PM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 5,390
Default
I created a user 'Testy' and a group 'Test' in AD and added 'Testy' to 'Test'.

On the Astaro, I configured prefetch with the AD group 'Test', opened the prefetch live log and kicked off a 'Prefetch now'. I watched as 'Testy' was added. In the User list, 'Testy' appeared along with the email address I created for him in AD.

Are you talking about something different?

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Reply With Quote
  #6 (permalink)  
Old 10-20-2008, 02:16 AM
Wizard
  
Join Date: May 2003
Location: Brunswick, Maryland, USA
Posts: 2,667
Default
yes i am talking about the http proxy active directory integration as i don't use prefetch.
Reply With Quote
  #7 (permalink)  
Old 10-20-2008, 05:21 PM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 5,390
Default
Have you tried checking 'Create users automatically' on the 'Global' tab of 'Users >> Authentication'? I know that the User Portal and whitelists don't work if that's not checked, even with prefetch active.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Reply With Quote
  #8 (permalink)  
Old 10-23-2008, 05:47 PM
Wizard
  
Join Date: May 2003
Location: Brunswick, Maryland, USA
Posts: 2,667
Default
Quote:
Originally Posted by BAlfson View Post
Have you tried checking 'Create users automatically' on the 'Global' tab of 'Users >> Authentication'? I know that the User Portal and whitelists don't work if that's not checked, even with prefetch active.

Cheers - Bob
nod..since the latest updates though i'll blow it out and redo it from sctrach as some fields have changed. Once that's been added is the base DN field in the active directory area...what is that? The manual doesn't explain that one.
Reply With Quote
  #9 (permalink)  
Old 10-24-2008, 01:03 PM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 5,390
Default
The Base DN is how far into the AD you can go.

My bind user is:
“CN=bob2,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Our domain,DC=local”

Originally, my Base DN was:
“OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Ourdomain,D C=local”

That didn't let me get to the groups already defined in our AD. Now, my Base DN is:
“OU=MyBusiness,DC=Ourdomain,DC=local”

You've been doing this a long time, William. I'd be interested in what issues you find with Astaro SSO after you redo from scratch.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Reply With Quote
  #10 (permalink)  
Old 10-30-2008, 12:32 AM
Wizard
  
Join Date: May 2003
Location: Brunswick, Maryland, USA
Posts: 2,667
Default
ok i must be missing something simple.

My username is William, I'm in the users container and then there's <mydomain>.local.

here's what i have in the base dn box:
CN=William,CN=Users,DC=<mydomain>,DC=Local
I then have my password in the correct fields...what should hte base DN be? I keep getting:

Server exists and accepts connections, but bind to ldap://<my server's ip>:389 failed with this Bind DN and Password
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 11:02 PM.

 
Contact Us - Astaro User Bulletin Board - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.


These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases. issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.