Revision: 6160
http://ipcop.svn.sourceforge.net/ipcop/?rev=6160&view=rev
Author: eoberlander
Date: 2011-12-11 13:04:58 +0000 (Sun, 11 Dec 2011)
Log Message:
-----------
Add Marco's text and screenshots for proxy LDAP authentication section.
Modified Paths:
--------------
IPCopDoc/trunk/en/admin/xml/proxy.xml
Added Paths:
-----------
IPCopDoc/trunk/en/admin/images/proxy-ldap-all.png
IPCopDoc/trunk/en/admin/images/proxy-ldap-bind.png
IPCopDoc/trunk/en/admin/images/proxy-ldap-common.png
IPCopDoc/trunk/en/admin/images/proxy-ldap-group.png
Added: IPCopDoc/trunk/en/admin/images/proxy-ldap-all.png
===================================================================
(Binary files differ)
Property changes on: IPCopDoc/trunk/en/admin/images/proxy-ldap-all.png
___________________________________________________________________
Added: svn:mime-type
+ application/octet-stream
Added: IPCopDoc/trunk/en/admin/images/proxy-ldap-bind.png
===================================================================
(Binary files differ)
Property changes on: IPCopDoc/trunk/en/admin/images/proxy-ldap-bind.png
___________________________________________________________________
Added: svn:mime-type
+ application/octet-stream
Added: IPCopDoc/trunk/en/admin/images/proxy-ldap-common.png
===================================================================
(Binary files differ)
Property changes on: IPCopDoc/trunk/en/admin/images/proxy-ldap-common.png
___________________________________________________________________
Added: svn:mime-type
+ application/octet-stream
Added: IPCopDoc/trunk/en/admin/images/proxy-ldap-group.png
===================================================================
(Binary files differ)
Property changes on: IPCopDoc/trunk/en/admin/images/proxy-ldap-group.png
___________________________________________________________________
Added: svn:mime-type
+ application/octet-stream
Modified: IPCopDoc/trunk/en/admin/xml/proxy.xml
===================================================================
--- IPCopDoc/trunk/en/admin/xml/proxy.xml 2011-12-10 19:32:21 UTC (rev
6159)
+++ IPCopDoc/trunk/en/admin/xml/proxy.xml 2011-12-11 13:04:58 UTC (rev
6160)
@@ -63,9 +63,391 @@
<sect2 id="proxy-auth-ldap">
<title>LDAP Authentication</title>
- <para>
- Content to be written...
- </para>
+ <para>
+ This authentication method is the preferred solution for medium
and
+ large network environments. Users will have to authenticate when
+ accessing web sites by entering a valid username and password.
+ The credentials are verified against an external Server using the
+ Lightweight Directory Access Protocol (LDAP).
+ </para>
+ <para>
+ LDAP authentication will be useful if you have already a directory
+ service in your network and don't want to maintain additional
user
+ accounts and passwords for web access.
+ </para>
+ <para>
+ The Advanced Proxy works with these types of LDAP Servers:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Active Directory (Windows 2000, 2003 and 2008 Server)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Novell eDirectory (NetWare 5.x and NetWare 6)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ LDAP Version 2 and 3 (OpenLDAP)
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ As an option, membership for a certain group can be required.
+ </para>
+ <note>
+ <para>
+ The protocol LDAPS (Secure LDAP) is not supported by the
+ Advanced Proxy.
+ </para>
+ </note>
+ <para>
+ <mediaobject>
+ <imageobject role="fo">
+ <imagedata fileref="&imagepath;proxy-ldap-all.&imageext;"
+ format="PNG"
+ contentwidth="14cm"/>
+ </imageobject>
+ <imageobject role="html">
+ <imagedata fileref="&imagepath;proxy-ldap-all.&imageext;"
format="PNG" align="center"/>
+ </imageobject>
+ <textobject>
+ <phrase>LDAP Authentication</phrase>
+ </textobject>
+ </mediaobject>
+ </para>
+ <para>
+ If you are unsure about your internal directory structure,
+ you can examine your LDAP server using the command line based
+ <emphasis>ldapsearch</emphasis> tool.
+ </para>
+ <para>
+ Windows clients can use the free and easy to use Softerra LDAP
+ browser for this:
+ <ulink
url="http://www.ldapbrowser.com";>http://www.ldapbrowser.com</ulink>
+ </para>
+
+ <sect3 id="proxy-auth-ldap-global">
+ <title>Global authentication settings</title>
+ <para>
+ <mediaobject>
+ <imageobject role="fo">
+ <imagedata
fileref="&imagepath;proxy-global-settings.&imageext;"
+ format="PNG"
+ contentwidth="14cm"/>
+ </imageobject>
+ <imageobject role="html">
+ <imagedata
fileref="&imagepath;proxy-global-settings.&imageext;" format="PNG"
align="center"/>
+ </imageobject>
+ <textobject>
+ <phrase>Global authentication settings section</phrase>
+ </textobject>
+ </mediaobject>
+ </para>
+ <formalpara>
+ <title><guilabel>Number of authentication
processes</guilabel></title>
+ <para>
+ The number of background processes listening for requests.
+ The default value is 5 and should be increased if
authentication
+ takes too long or Windows integrated authentication falls back
+ to explicit authentication.
+ </para>
+ </formalpara>
+ <formalpara>
+ <title><guilabel>Authentication cache TTL</guilabel></title>
+ <para>
+ Duration in minutes how long credentials will be cached for
+ each single session.
+ If this time expires, the user has to re-enter the credentials
+ for this session.
+ The default is set to 60 minutes, the minimum will be 1 minute.
+ The TTL will always be reset when the user sends a new request
+ to the Proxy Server within a session.
+ </para>
+ </formalpara>
+ <note>
+ <para>
+ If the user opens a new session, the credentials must always
+ be entered, even if the TTL has not expired for another
session.
+ </para>
+ </note>
+ <formalpara>
+ <title><guilabel>Limit of IP addresses per user</guilabel>
(optional)</title>
+ <para>
+ Number of source IP addresses a user can be logged in at one
+ time.
+ The IP address will be released after the time defined at
+ <emphasis>User/IP cache TTL</emphasis>.
+ </para>
+ </formalpara>
+ <note>
+ <para>
+ This takes no effect if running Local authentication and the
+ user is a member of the <quote>Extended</quote> group.
+ </para>
+ </note>
+ <formalpara>
+ <title><guilabel>User/IP cache TTL</guilabel></title>
+ <para>
+ Duration in minutes, how long relations between each user name
+ and the used IP address will be cached.
+ The default value is 0 (disabled).
+ </para>
+ </formalpara>
+ <para>
+ A value greater than 0 is only reasonable while using a limit for
+ concurrent IP addresses per user.
+ </para>
+ <formalpara>
+ <title><guilabel>Require authentication for unrestricted source
addresses</guilabel></title>
+ <para>
+ By default authentication is required even for unrestricted IP
+ addresses.
+ If you don't want to require authentication for these
+ addresses, untick this box.
+ </para>
+ </formalpara>
+ <formalpara>
+ <title><guilabel>Authentication realm prompt</guilabel></title>
+ <para>
+ This text will be shown in the authentication dialog.
+ The default is <quote>IPCop Advanced Proxy Server</quote>.
+ </para>
+ </formalpara>
+ <formalpara>
+ <title><guilabel>Destinations without
authentication</guilabel></title>
+ <para>
+ This allows you to define a list of destinations that can be
+ accessed without authentication.
+ </para>
+ </formalpara>
+ <note>
+ <para>
+ Any domains listed here are destination DNS domains and not
+ source Windows NT domains.
+ </para>
+ </note>
+ <para>
+ Examples:
+ </para>
+ <para>
+ Entire domains and subdomains
+ </para>
+ <screen><computeroutput>*.example.net
+*.google.com</computeroutput></screen>
+ <para>
+ Single hosts
+ </para>
+ <screen><computeroutput>www.example.net
+www.google.com</computeroutput></screen>
+ <para>
+ IP addresses
+ </para>
+ <screen><computeroutput>81.169.145.75
+74.125.39.103</computeroutput></screen>
+ <para>
+ URLs
+ </para>
+ <screen><computeroutput>www.example.net/download
+www.google.com/images</computeroutput></screen>
+ <note>
+ <para>
+ You can enter all of these destination types in any order.
+ </para>
+ </note>
+ <para>
+ Example for Windows Update.
+ </para>
+ <para>
+ To allow access to Windows Update without authentication add these
+ destinations to the list:
+ </para>
+ <screen><computeroutput>*.download.microsoft.com
+*.windowsupdate.com
+windowsupdate.microsoft.com</computeroutput></screen>
+ </sect3>
+
+ <sect3 id="proxy-auth-ldap-common">
+ <title>Common LDAP settings</title>
+ <para>
+ <mediaobject>
+ <imageobject role="fo">
+ <imagedata fileref="&imagepath;proxy-ldap-common.&imageext;"
+ format="PNG"
+ contentwidth="14cm"/>
+ </imageobject>
+ <imageobject role="html">
+ <imagedata fileref="&imagepath;proxy-ldap-common.&imageext;"
format="PNG" align="center"/>
+ </imageobject>
+ <textobject>
+ <phrase>Common LDAP settings section</phrase>
+ </textobject>
+ </mediaobject>
+ </para>
+ <formalpara>
+ <title><guilabel>Base DN</guilabel></title>
+ <para>
+ This is base where to start the LDAP search.
+ All subsequent Organizational Units (OUs) will be included.
+ </para>
+ </formalpara>
+ <para>
+ Refer to your LDAP documentation for the required format of the
+ base DN.
+ </para>
+ <para>
+ Example Base DN for Active Directory:
+ </para>
+
<screen><computeroutput>cn=users,dc=ads,dc=local</computeroutput></screen>
+ <para>
+ This will search for users in the group <emphasis>users</emphasis>
+ in the domain <emphasis>ads.local</emphasis>
+ </para>
+ <para>
+ Example Base DN for eDirectory:
+ </para>
+ <screen><computeroutput>ou=users,o=acme</computeroutput></screen>
+ <para>
+ This will search for users in the Organizational Unit
+ <emphasis>users</emphasis> (and below) in the Organization
+ <emphasis>acme</emphasis>
+ </para>
+ <note>
+ <para>
+ If the Base DN contains spaces, you must <quote>escape</quote>
+ these spaces using a backslash.
+ </para>
+ </note>
+ <para>
+ Example for a Base DN containing spaces:
+ </para>
+ <screen><computeroutput>cn=internet\
users,dc=ads,dc=local</computeroutput></screen>
+ <formalpara>
+ <title><guilabel>LDAP type</guilabel></title>
+ <para>
+ You can select between different types of LDAP implementations:
+ </para>
+ </formalpara>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Active Directory (ADS)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Novell eDirectory (NDS)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ LDAP v2 and v3
+ </para>
+ </listitem>
+ </itemizedlist>
+ <formalpara>
+ <title><guilabel>LDAP Server</guilabel></title>
+ <para>
+ Enter the IP address of your LDAP Server.
+ </para>
+ </formalpara>
+ <formalpara>
+ <title><guilabel>Port</guilabel></title>
+ <para>
+ Enter the port your LDAP Server is listening to LDAP requests.
+ The default is 389.
+ </para>
+ </formalpara>
+ <note>
+ <para>
+ The protocol LDAPS (Secure LDAP, port 636) is not supported by
+ the Advanced Proxy.
+ </para>
+ </note>
+ </sect3>
+
+ <sect3 id="proxy-auth-ldap-bind">
+ <title>Bind DN settings</title>
+ <para>
+ <mediaobject>
+ <imageobject role="fo">
+ <imagedata fileref="&imagepath;proxy-ldap-bind.&imageext;"
+ format="PNG"
+ contentwidth="14cm"/>
+ </imageobject>
+ <imageobject role="html">
+ <imagedata fileref="&imagepath;proxy-ldap-bind.&imageext;"
format="PNG" align="center"/>
+ </imageobject>
+ <textobject>
+ <phrase>Bind DN settings section</phrase>
+ </textobject>
+ </mediaobject>
+ </para>
+ <formalpara>
+ <title><guilabel>Bind DN username</guilabel></title>
+ <para>
+ Enter the full distinguished name for a Bind DN user.
+ </para>
+ </formalpara>
+ <note>
+ <para>
+ A Bind DN user is required for Active Directory and
eDirectory.
+ </para>
+ <para>
+ The Bind DN user must be allowed to browse the directory and
+ read all user attributes.
+ </para>
+ <para>
+ If the Bind DN username contains spaces, you must
+ <quote>escape</quote> these spaces using a backslash.
+ </para>
+ </note>
+ <formalpara>
+ <title><guilabel>Bind DN password</guilabel></title>
+ <para>
+ Enter the password for the Bind DN user.
+ </para>
+ </formalpara>
+ </sect3>
+
+ <sect3 id="proxy-auth-ldap-group">
+ <title>Group based access control</title>
+ <para>
+ <mediaobject>
+ <imageobject role="fo">
+ <imagedata fileref="&imagepath;proxy-ldap-group.&imageext;"
+ format="PNG"
+ contentwidth="14cm"/>
+ </imageobject>
+ <imageobject role="html">
+ <imagedata fileref="&imagepath;proxy-ldap-group.&imageext;"
format="PNG" align="center"/>
+ </imageobject>
+ <textobject>
+ <phrase>Group based access control section</phrase>
+ </textobject>
+ </mediaobject>
+ </para>
+ <formalpara>
+ <title><guilabel>Required group</guilabel> (optional)</title>
+ <para>
+ Enter the full distinguished name of a group for
+ authorized Internet users.
+ </para>
+ </formalpara>
+ <para>
+ In addition to a correct authentication, a membership within this
+ group will be required for web access.
+ </para>
+ <note>
+ <para>
+ If the group name contains spaces, you must
+ <quote>escape</quote> these spaces using a backslash.
+ </para>
+ </note>
+ </sect3>
</sect2>
<sect2 id="proxy-auth-windows">
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Learn Windows Azure Live! Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for
developers. It will provide a great way to learn Windows Azure and what it
provides. You can attend the event by watching it streamed LIVE online.
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
Ipcop-svn mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
