As authenticating users before they are allowed to access the Internet is something that is widely used in companies, authorities and schools we want that to go easily. There are usually hundreds or thousands of users that need to be checked and maintaining multiple databases with those users is ugly and hard to do. Therefore there has been a crowdfunding effort that brings two things together: The IPFire web proxy and user database of the Windows Active Directory domains.
The benefits are easy to spot:
You will need a Microsoft Active Directory Server that is already configured and set up to work as an Active Directory Domain Controller. Please don't confuse this with the older NT4 domains.
It is required that the firewall is able to resolve DNS entries for this domain. You can use DNS forwarding for that.
FIXME Please remove this note or add a line of you confirm that it works for some other version as well.
The setup is very quickly done and does only require two steps.
The first step is to let the IPFire firewall join the domain. It is required to install the
samba add-on which is the interface between IPFire, the web proxy and the Windows Domain. Once the package is installed, you will be able to configure it on the web user interface.
Most of the configuration options can be left at the default. Windows Server however requires that the workgroup must be set correctly. If your domain is for example
COMPANY.COM, then the workgroup is just
Further down below in the Security Options section, you will need to select "ADS" for security. After that, please hit save and the samba service will restart with the right configuration.
A new section will show up titled "Join a domain". Make sure that the domain name is the right one. If not, please use the
setup tool to set it to the right one. If this one or the workgroup do not match, joining the domain will fail.
If everything is set up alright, you can enter valid credentials of an administrator that has sufficient permissions to add a new machine to the domain into the form. Hit "Join domain" and after a few moments you will see a message that the join has been successful.
After samba has been set up and the domain has been joined, we are ready to set up the web proxy.
In the authentication section at the bottom of the page select "Windows Active Directory" and configure the global authentication settings as usual. Hit "Save and Restart" and you are done.
You may allow your clients to use the HTTP Basic authentication protocol to authenticate against the proxy. Note that the login credentials (i.e. username and password) are sent in clear text to the proxy and can be intercepted by an attacker on the local network.
If you need your users to be a member of a certain group in order to successfully authenticate against the web proxy, you can type the name of that group into the form.