About
As authenticating users before they are allowed to access the Internet is something that is widely used in companies, authorities and schools we want that to go easily. There are usually hundreds or thousands of users that need to be checked and maintaining multiple databases with those users is ugly and hard to do. Therefore there was a crowdfunding effort that brings two things together: The IPFire web proxy and user database of the Windows Active Directory domains.
The benefits are easy to spot:
- One database with all the users. No copy of that which has to be maintained, too.
- Secure cryptography helps us to protect the user's data.
- Easy to set up.
- Seamless to the user as it uses Single Sign-On with all modern operating systems.
Requirements
You will need a Microsoft Active Directory Server that is already configured and set up to work as an Active Directory Domain Controller. Please don't confuse this with the older NT4 domains.
It is required that the firewall is able to resolve DNS entries for this domain. You can use DNS Forwarding for that.
Tested environments
FIXME Please remove this note or add a line of you confirm that it works for some other version as well.
- Windows 2008 R2 64bit
- Windows 2012
Setup
The setup is very quickly done and does only require two steps.
Step 1: Joining the domain
The first step is to let the IPFire firewall join the domain. It is required to install the samba add-on which is the interface between IPFire, the web proxy and the Windows Domain. Once the package is installed, you will be able to configure it on the web user interface.
Pre-configuration
Most of the configuration options can be left at the default. Windows Server however requires that the workgroup must be set correctly. If your domain is for example COMPANY.COM, then the workgroup is just COMPANY.
Further down below in the Security Options section, you will need to select "ADS" for security. After that, please hit save and the samba service will restart with the right configuration.
Join
A new section will show up titled "Join a domain". Make sure that the domain name is the right one. If not, please use the setup tool to set it to the right one. If this one or the workgroup do not match, joining the domain will fail.
If everything is set up alright, you can enter valid credentials of an administrator that has sufficient permissions to add a new machine to the domain into the form. Hit "Join domain" and after a few moments you will see a message that the join has been successful.
Step 2: Configure the proxy server
After samba has been set up and the domain has been joined, we are ready to set up the web proxy.
In the authentication section at the bottom of the page select "Windows Active Directory" and configure the global authentication settings as usual. Hit "Save and Restart" and you are done.
Enable HTTP Basic authentication
You may allow your clients to use the HTTP Basic authentication protocol to authenticate against the proxy. Note that the login credentials (i.e. username and password) are sent in clear text to the proxy and can be intercepted by an attacker on the local network.
Require group membership
If you need your users to be a member of a certain group in order to successfully authenticate against the web proxy, you can type the name of that group into the form.