HTTP Proxy LDAP Authentication problem

[Guest]

[entourage]

I have ver. 2.2 installed and working...mostly.

I've setup LDAP Authentication and it appears to be working because I can select and enable my 'Internet Users' AD group.  If I set the Green interface to Transparent, it filters as it should.  It blocks pages, restricts browsers and scans sites...HOWEVER it doesn't care what group I'm in.  I don't need to be authenticated to the domain at all to get Internet access.

So I set the Green interface to Authentication Required and now any site I try to browse to I'm prompted for a username and password.  It doesn't matter how I put in the username/password I am never able to get to the site and finally, the message comes up saying "Sorry, you are not currently allowed to request: (website) from this cache until you have authenticated yourself.

BTW, I have a single NIC setup as this acts as ONLY a web filtering/caching proxy.

Any ideas or suggestions?

[npeterson]

If this is going to be a standalone proxy / filter, i wouldn't set this up as transparent. Setup the clients to go directly to the proxy, or use a wpad. It may be part of your problem as well.

[entourage]

Yeah, I didn't think I wanted it transparent since Authentication Required was an option, but it wasn't working with the authentication.  I just wanted to verify that filtering was working.

All of my clients are currently directed through an ISA server, so their proxy access is setup and working without a problem.  It's just that if I point their proxy to the EFW, it won't authenticate them and gives them the message in my previous post.  Should it even prompt them at all?

[npeterson]

Yea if your wanting to track where people go or setup special group access.

If you are using authentication to a Active directory domain, you should set the authentication type to Windows not ldap, i had some problems trying to do ldap too, and switched over to the Windows(active directory) authentication.

You will need to enter a username with the ability to add computers to the domain, after it creates an AD account, i dont believe it uses the account anymore.

Also enter the IP addresses for the PDC and BDC, or if you use their hostnames, you may need to add a host entry on the Network->edit hosts page. Hit Join domain. You can verify that its connected by going to group policies and selecting add group, your AD groups should be listed there.

Back on  the authentication page, set the Authentication realm prompt to your active directory domain name (ex company.com). otherwise your users will need to use company.com\user for their username.

[entourage]

Ok, closer.  I changed it to Windows Authentication and put in my Domain, PDC Hostname, BDC Hostname, username and password.  (My PDC and BDC are the same)  I added the host entry so I could type in my hostname.  Now when I click 'Join Domain' I get this message:

Error while connecting to PDC. Is the PDC listed in the custom nameserver list?

I then added my Server to the Custom nameserver under DNS.  Rebooted, and I still get this message.
I also notice that up at the top is a message saying

dnsmasq is stopped Starting dnsmasq: [FAILED]

Any ideas?

[entourage]

-Update-

After reading a bit and knowing what little of Linux I actually do know, I decided to make sure my hostnames were all CAPS.  Once I matched the case I was able to join the EFW to the Domain!  (Crazy case sensitive OS)
I set it to Authentication Required and had 'User-based access restrictions' checked.  I put my username in and I can now browse successfully through the proxy.

I was also then able to add my 'SBS Internet Users' group!

Thanks for the help!!

[davvidde]

If you change back to LDAP authentication and try to set the groups listed in "group policy" to "unrestricted" instead of "default policy" does the authentication works? (and of course the content filter is BYPAS SED?)
I have a similar problem and the LDAP authentication works for me only in this mode but I cannot filter HTTP traffic.

[davvidde]

Nobody has resolved this problem?

[entourage]

I basically gave up on LDAP.  I've read that by design, it constantly requires the use of username/password even though you are already authenticated. 

[davvidde]

That sounds strange for me: with 2.2rc3 I need to authenticate only the first time when I open the browser (Firefox 3 or IE 6), and that credentials are in place until the end of the session.
What log file I need to set up and look to debug the problem with the 2.2 final?