Configure or troubleshoot Web Gateway eDirectory authentication

Technical Articles ID: KB69994
Last Modified: 2022-06-06 09:56:11 Etc/GMT

Environment

Web Gateway (WG)

Summary

This article addresses the following topics to help you set up eDirectory authentication with WG:

Background — Information about how WG interacts with eDirectory
Configuration — Instructions to configure eDirectory authentication with WG
Common Issues — A list of common issues that can occur when you configure eDirectory authentication with WG
Troubleshooting — Tools to troubleshoot eDirectory authentication issues with WG

Background

Here's some background information to help you understand how WG interacts with eDirectory. When a user logs into their workstation using the Novell client, the NetworkAddress attribute is populated for the user on the eDirectory server. The NetworkAddress attribute is the user's IP address stored as a hex value. WG sends an LDAP request to the eDirectory server. The response from the server contains a list of users that are currently logged on and their NetworkAddress attribute. WG makes LDAP requests frequently to make sure that it has a current list, in case a new user logs on to their workstation. WG stores these values into a cache for a definable amount of time. After the cache is built with all users and their network addresses, WG can properly authenticate and authorize a user if they make a request. To determine the user's group memberships, WG performs another LDAP request for an attribute of the user or group.

Configuration

Add the Authenticate and Authorize rule set from the Rule Set Library.
1. Navigate to Policy, Rule Sets.
2. Click Add and select Rule Set from Library.
3. Select the Authenticate and Authorize rule set. You'll be prompted to solve some conflicts after import. Click Auto-Solve Conflicts… and choose that option that's sufficient, typically Solve by referring to existing objects.
4. Click OK after the conflicts are solved.
You now have a new set of rules added to your primary Rule Set.
Customize the Authenticate and Authorize rule set. Update the rules to use the eDirectory server instead of the internal User Database.
1. Select the rule Authenticate with User Database (in the left pane) and click Edit. The Edit Rule dialog box displays.
2. Move to the Rule Criteria step.
3. Select the property Authentication.Authenticate<User Database> and click Edit. The Edit Criteria dialog box displays.
4. Update the part for Settings: (For 'Authentication'). This setting controls what source WG uses to check against. Click Add to create another Authentication Engine.
5. Create the eDirectory Authentication Engine. A list of the settings available for the Novell eDirectory Authentication Engine is listed below. The items in bold require changes and most others can be left unchanged.
  
  Authentication Method: Novell eDirectory
  Proxy Realm: This setting controls what's displayed for Proxy-Authenticate: Basic realm="". Typically, customers enter the fully qualified domain name (FQDN) of their appliance.
  Authentication attempt timeout: The default is five seconds.
  Use Authentication Cache: This setting MUST be selected.
  Authentication cache entry TTL: The default is 30 minutes, but if you're just testing, two minutes might be a good value to set it at temporarily.
  
  LDAP server(s) to connect to: Click add and specify your LDAP server in the format ldap://IP-address:389].
  List of certificate authorities: This list applies only if you plan to use LDAPS or SLDAP.
  Credentials: Type the credentials using LDAP syntax, for example, cn=admin,ou=users,o=reno.
  Password: Type your password.
  International text support: Retain the defaults; change it only if your environment requires it.
  Enable LDAP version 3: This setting is selected by default.
  Allow LDAP library to follow referrals: This setting is deselected by default.
  Connection live check: The default is five minutes.
  LDAP operation timeout: The default is five seconds.
  eDirectory network address attribute: The default is NetworkAddress.
  eDirectory login time attribute: The default is loginTime.
  eDirectory minimal update interval: The default is 15 seconds. This setting determines how often WG queries the eDirectory for the list of logged on users.
  
  Base distinguished name to user objects: Typically, we recommend that you specify the top of the tree (for example, o=reno). Adjust if you require the scope of the tree to be limited.
  Map user name to DN: This setting is selected by default.
  Filter expression to locate a user object: The default is '(&(ObjectClass=user)(loginTime>=%u))'.
  Get user attributes: This setting is selected by default, and must be selected to determine group membership information.
  User attributes to retrieve: The default is 'cn,' although most implementations use 'groupMembership,' so use that instead. See the section on determining your user's 'group' attribute.
  Attributes concatenation string: The default is none. You use this setting if you're retrieving multiple attributes.
  A good separator is '|' (pipe). The attributes are stored in reverse order; for example, when you try to get 'ou' and 'groupMembership,' they're listed at 1 and 2 respectively, the Authentication.Attributes value would be [groupMembership]|[ou].
  
  Get groups attributes: This setting is deselected by default.
  Base distinguished name to group objects: Same recommendation as user objects if used.
  Filter expression to locate a group object: If using the group object, you probably don't need this setting.
  Group attribute to retrieve: 'member' is a good value to use, though the default is 'cn.'
  Attributes concatenation string: Same as above.
6. Perform the Authentication Test. This setting displays the attributes for the users returned by the eDirectory server.
Update the rule names so that they reflect the goals they accomplish. This action prevents your configuration from getting confusing. For example, you can rename the default Rule Set from Authenticate with User Database to Authenticate with eDirectory.
Modify the blockpage to include group information (attributes). During the testing phase, it's convenient to determine the user's group membership quickly.
1. Navigate to Policy, Settings.
2. Select Authorized Only for Template Name and click Edit.
3. Add the Authentication.Attributes property after the User name line:
  <b>Attributes: </b>$Authentication.Attributes$<br />
4. Save.
Now, the blockpage includes the group information; for example, Attributes: Dealers, admingroup.

Common Issues

Time difference: Make sure that there's not a large time difference between WG and the eDirectory server. If there's a large time difference, it can cause the LDAP request to be invalid. For example, if the time on WG is too far in the future, it might send LDAP requests to the eDirectory server. These LDAP requests ask for all users logged in after a certain time in the future. Here's an example conversation between WG and the eDirectory server:

Web Gateway [Sat, 01 Aug 2020 16:00:10]: Hey eDirectory, who has logged in since Thu, 01 Jan 1970 00:00:00? Also, what is their NetworkAddress?
eDirectory: Well, cn=admin has, his NetworkAddress is 10.10.69.7.
Web Gateway [Sat, 01 Aug 2020 16:00:25]: Hey eDirectory, who has logged in since Sat, 01 Aug 2020 16:01:10? Also, what is their NetworkAddress?
eDirectory: No one. That's in the future…
…[after the cache has expired, it will request all users again]…
Web Gateway [Sat, 01 Aug 2020 16:30:10]: Hey eDirectory, who has logged in since Thu, 01 Jan 1970 00:00:00? Also, what is their NetworkAddress?
NetworkAddress not populated causing 'Authentication Required' block message: If the NetworkAddress attribute isn't populated, WG has no way of determining who the user is; hence, the message.

Troubleshooting

eDirectory Management tool: The following screenshots are taken from Novell's iManager management interface. When troubleshooting any problems with eDirectory, always verify first whether these values are populated. If you find that these attributes aren't populated, it's an eDirectory issue.
LDAP browser: Below is example output using an LDAP browser highlighting the groupMembership and NetworkAddress attributes for the user cn=Admin.
Packet tracing (tcpdump or Wireshark): Below is an example packet capture taken when WG requests all currently logged in users since epoch time. The filter it applies is (&(ObjectClass=user)(loginTime>=%u), where %u is the time that the WG queries the LDAP server for who has logged on. It also requests two attributes, NetworkAddress and loginTime.

Below is an example response to the request above. There are two results (cn=sgoers and cn=Admin); only one returns a NetworkAddress attribute (the 'Admin' user).
(Optional) Retrieving multiple attributes and use of concatenation: Below is an example use of retrieving multiple attributes and how it can be used. In the example, we retrieve the attributes ou and groupMembership. They're stored in the 'Authentication. Attributes' property in the reverse order in which they're retrieved. So, Authentication.Attribute = attribute[2]|attribute[1] with the concatenation string being the pipe '|'.