CachePilot & LDAP/AD

[beast_gts]

Hi Everybody!

Has anyone got a CachePilot to authenticate against an LDAP/Active Directory server?

I've followed Equiinet's instructions but it doesn't want to work
(http://www.cachepilot.com/eq-resourc...via%20LDAP.pdf)

Geoff

[Slartibartfast]

Yes. Try making the cachepilot LDAP user account a member of 'Domain Admins'. If that doesn't work straight away, try these instructions:

1.Create a group in AD called 'cache'.

2. Create a user in AD called 'cacheadmin' in the 'Users' container. This account needs to be a member of 'Domain Admins' and the 'Cache' group created earlier.

3.On the cachepilot LDAP configuration page, configure the settings as follows:
LDAP Server: IP address of DC.
User Directory: Base DN of AD Domain (e.g. DC=reephamhigh,DC=local)

User: cacheadmin, CN=Users
Password: password for cacheadmin

4.On the cachepilot 'User' page, add a user called 'cache' (the same as the AD group created earlier) and make the user a member of the cachepilot 'controlled' group.

5.On the cachepilot 'Web Access' page, change the radio button to 'Users'.

6.In Active Directory, user accounts need to be added to the 'cache' group to be able to authenticate and access the internet.

Issues:
UPN suffixes are not supported.
Users that have been renamed in the past cannot authenticate.
Users with spaces or other non-alphanumeric characters in their passwords cannot authenticate.

[DMcCoy]

A normal user has enough rights to authenticate over ldap. The user I bind to ldap with is only a member of domain users, nothing more.

Does the system really need domain admin access? (Not that I use, or am likely to use it, just curious)

[Slartibartfast]

When I originally tried to set this up with a basic 'Domain User' account, it worked, but rather inconsistently. For example, users could be added to the 'cache' group, but wouldn't be able to authenticate for another 24-48 hours.

Adding the 'cacheadmin' account to the 'Domain Admins' group seems to solve all the quirky problems, although it's not the solution I would like.

[SteveD]

Make sure the account you're using to bind LDAP is in the Base DN that you specify for the user directory. I've set a few of these up now & that always seems to be the problem people have.

I'm not bothering setting any more up though!

Filtering a waste of time now kids know they can just stick a . on the end of the TLD and get straight past the filter.e.g. http://www.porn.com./

[beast_gts]

My CachePilot blocks TLDs with a . on the end (N2H2 query: Matches Blacklist. BLOCK)

[beast_gts]

And LDAP still isn't working... It just brings up a logon on box that refuses everything :-(