LDAP/AD authentication is available for Dr.Web Servers running all supported OS. User access to Dr.Web Server is configured through the corresponding Active Directory attributes in the Control Center. Direct access to the domain controller and the Active Directory snap-in is not required, as no additional Active Directory configuration is performed.
You can configure authentication using the LDAP protocol on any LDAP server. You can also use this mechanism to configure Dr.Web Server running a Unix-like OS for authentication in Active Directory on a domain controller.
To configure and enable LDAP/AD authentication
1.Select Administration in the main menu of the Control Center, then select Authentication in the control menu → LDAP/AD authentication.
2.Set the Use LDAP/AD authentication flag.
3.If necessary, set the Allow only HTTPS connections flag to forbid connecting to Dr.Web Server using LDAP/AD authentication over an insecure HTTP connection.
4.Specify the parameters of LDAP/AD authentication.
|
The section provides an option to switch between simplified or advanced LDAP/AD authentication settings. |
Simplified settings:
•Select the Server type: LDAP or Microsoft Active Directory.
•Configure the LDAP server connection settings:
▫Connection security—encryption method for transferred data: STARTTLS, SSL/TLS, or no encryption.
▫Server address—LDAP server address. If the field is empty, the domain controller address is used for Dr.Web Server running Windows; the address 127.0.0.1 is used for Dr.Web Server running a Unix-like OS.
▫File of the root certificate (only for Dr.Web Server running a Unix-like OS)—root certificate file of the LDAP server, which is needed for validating the LDAP server during encrypted data transfer. Click 
to the right of the field to select one of the available certificates.
Click 
to add more LDAP servers. The first server on the list is considered the main one; if it is unavailable, the next server in the rotation will be used for authentication.
•Specify the templates that usernames have to match:
▫Account mask—user account mask specified using DOS-like wildcard characters * and #. * replaces a sequence of any characters except . , = @ \ and spaces; # any character sequence.
For example: *\* if the user account is specified in the <domain>\<user> format.
▫Login—specific value or position of the * or # substitution in the mask (the position is specified as \<position_number>).
For example: \2 if the user account is specified in the <domain>\<user> format (the second * in the mask is substituted with the username).
Click to add more templates.
•Specify the membership requirements for users. To do this, in the Name field, enter the name of the Active Directory group that the user must be a member of.
Click to add more user membership conditions. In this case also select the Logical union of the specified conditions: AND if all the conditions must be met; OR if any of the conditions must be met.
|
An example using a sample configuration is provided in the Appendices, at the end of the B3. LDAP/AD Authentication section. |
Advanced settings:
•Configure the LDAP server connection settings:
▫Connection security—encryption method for transferred data: STARTTLS, SSL/TLS, or no encryption.
▫LDAP server—LDAP server address. If the field is empty, the domain controller address is used for Dr.Web Server running Windows; the address 127.0.0.1 is used for Dr.Web Server running a Unix-like OS.
▫Search scope—search scope in the LDAP directory: base DN only, direct descendants of the base DN, or the whole sub-tree below the base DN (default value).
▫Base DN—root object in the directory relative to which the data search is performed.
▫File of the root certificate (only for Dr.Web Server running a Unix-like OS)—root certificate file of the LDAP server, which is needed for validating the LDAP server during encrypted data transfer. Click to the right of the field to select one of the available certificates.
Click to add more LDAP servers. The first server on the list is considered the main one; if it is unavailable, the next server in the rotation will be used for authentication.
•Specify the LDAP search settings:
▫Variable name—variable for storing search result data. Must begin with a letter and contain only letters and numbers. Can be used in the String added to a filter fields in the subsections below (specified as \<variable> in the LDAP search filter subsection).
▫Base DN—root object in the directory relative to which the data search is performed. If no value is specified, the value from the Base DN filed from the Connection settings subsection is used.
▫Search scope—search scope in the LDAP directory: base DN only, direct descendants of the base DN, or the whole sub-tree below the base DN (default value).
▫Search filter—LDAP search filter in the format specified in RFC 4515 defining the variable value.
▫Attribute name—name of the attribute to search for.
Example:
▫Variable name: admingrp1
▫Base DN: not specified (the Base DN from the connection settings is used)
▫Search scope: whole sub-tree below the base DN
▫Search filter: &(objectClass=group)(cn=ESuite Admin)
▫Attribute name: dn
A search for a dn attribute will be performed within the whole sub-tree below the base DN with the &(objectClass=group)(cn=ESuite Admin) filter (group with the name ESuite Admin); the search result will be the value of the admingrp1 variable.
Click to add more variables and search parameters.
If a search returns several found objects, only the first one is used.
•Specify the templates that usernames have to match. The templates may use either DOS-like wildcards or regular expressions:
▫Account mask—user account mask. In the User name templates subsection the mask is specified using DOS-like wildcard characters * and #, where * replaces a sequence of any characters except . , = @ \ and spaces; # replaces any character sequence. In the User name templates using regular expressions subsection the mask is specified using regular expressions.
▫String added to a filter—search conditions for data defined by the mask.
Example:
▫Account mask: *@# (using DOS-like wildcard characters) or ^(.*)@([^.,=@\s\\]+)$ (an equivalent using regular expressions)
▫String added to a filter: UID=\1
A search will be performed with a filter by the user unique identifier (UID) corresponding to the username specified before the @ character (according to the mask).
Click to add more templates and search filter strings.
•Specify the LDAP search filter parameters. To do this, in the String added to a filter field, set the search conditions for an LDAP object (user) matching the specified attribute values. You can use variables defined above in the string, specified as \<variable>.
Example:
String added to a filter: &(objectClass=user)(memberOf=\admingrp1)
A search will be performed with the filter &(objectClass=user)(memberOf=\admingrp1), which corresponds to a user who is a member of the group defined in the admingrp1 variable above.
A search is successful if a single object with the specified parameters is found.
5.Click Save.
6.Restart Dr.Web Server to apply changes.
You can also use the auth-ldap-rfc4515.conf configuration file located in the etc folder of Dr.Web Server to configure the parameters of LDAP/AD authentication. The configuration file contains a number of additional parameters unavailable for editing in the Control Center.
A few configuration files with sample settings are also provided:
•auth-ldap-rfc4515-check-group.conf—template configuration file for simple external authorization of administrators via LDAP with Active Directory group membership verification.
•auth-ldap-rfc4515-check-group-novar.conf—template configuration file for simple external authorization of administrators via LDAP with Active Directory group membership verification using variables.
•auth-ldap-rfc4515-simple-login.conf—template configuration file for simple external authorization of administrators via LDAP.
A description of the configuration file is provided in the Appendices, section B3. LDAP/AD Authentication.
|
If you use an LDAP server other than Microsoft Active Directory, it is recommended that you configure the rules for translating usernames to DNs in the auth-ldap-rfc4515.conf configuration file in accordance with RFC4515 using the <user-dn-extension-enabled/>, <user-dn/>, <user-dn-expr/> parameters. If the user to be authorized does not have search rights on the LDAP server, you can use the <bind dn/> parameter to configure the DN and password of the LDAP server user with read rights on whose behalf to run a user data search on the LDAP server. A description of the aforementioned parameters is provided in the Appendices, in B3. LDAP/AD Authentication. |
Configuration in the presence of a domain forest (root and child domains)
If authentication is required not only in the root Active Directory domain, but also its child domains, the access group in the root domain must include users from all child domains. The type of this access group in Active Directory must be Universal.
The Global Catalog option must be enabled in NTDS Settings for the root domain (if this option is enabled, port 3268 will be listened on). In the authentication settings in the Dr.Web Server Control Center, only the root domain and the Global Catalog port number (3268 by default) should be specified. In this case, the host attribute value in the configuration file will be the following: host='example.srv:3268'.
To not have to enter the full name with the domain when authenticating an account from a child domain, configure the <bind dn/> tag. Its description is given in the Appendices, in B3. LDAP/AD Authentication.