I have got an untangle box run up in transparent mode.
It is configured in the way of Firewall/Router > Untangle Server > Network > PC's.

I have got the Active Directory Settings configure on the Untangle box as well as the AD Lookup server settings and also installed AD Lookup Server on the AD Server.
I can see the users if you go to remote access portal and select the users. But what i need to do is be able to get usernames in the reports instead of the IP Address. I need to be able get the username for the web content filtering.

If someone can help us out it will be appreciated.

Hear, hear!

Not doing that quite yet myself, but agreed on the importance of this.

To replace IP addresses with user names
Without AD:

From Untangle Reports, click the Show Settings button.
Click the IP Address to User Map tab.
Click the plus (add) button to the left of the table. A new row appears in the table.
Specify the IP address and user name, and click the Save Settings button.

http://wiki.untangle.com/images/1/10/LoggingProcess.png

With AD: Please use our Wiki.
http://wiki.untangle.com/index.php/UserGuide:User_Directory#General_Requirements_for_ Using_Active_Directory_with_Untangle_Server

Since I don't have AD on the network at the site I'm supporting with Untangle yet and thus haven't had playtime with this, I'll ask: Does Untangle only support user mappings?

The ability to map user groups to policies/racks/etc. would be darned handy -- nearly essential. Once user count goes beyond a given number, it's impractical to map individuals alone -- especially when best practice in a domain is to do security groups properly. Note: most vendors I've dealt with (for all kinds of directory-enabled services) screw up nestings. I'd strongly urge working with the tokengroups attribute for users -- though that would be ADSI work rather than strictly LDAP. But the results could be used with how you're using LDAP on the Untangle box. Just a thought. ;-)

Being able to report by group -- as well as by individual -- would also be handly.

That would imply some pretty robust LDAP work on the developers part. If that's not in play yet, I'd encourage a "to do" list addition. ;-)

I appreciate the responses here but from what I can tell the question hasn't been answered.

Simply put, if all directions have been followed to the letter in order to link to active directory, does Untangle support this feature in transparent mode (no routing)??

If yes, (keeping in mind that all documented directions have been followed)what else needs to be done?

If no, will there be a future fix for this feature and if so what would be the time frame?

Yes, AD integration should work if the Untangle Server is used as a router or as a transparent bridge.

Can we get more information to try to reproduce your situation in our lab?

As you walk through the requirements list here: http://wiki.untangle.com/index.php/UserGuide:User_Directory#General_Requirements_for_ Using_Active_Directory_with_Untangle_Server
what details apply to your setup?

Any additional info will help....

The ability to map user groups to policies/racks/etc. would be darned handy -- nearly essential. Once user count goes beyond a given number, it's impractical to map individuals alone -- especially when best practice in a domain is to do security groups properly. Note: most vendors I've dealt with (for all kinds of directory-enabled services) screw up nestings. I'd strongly urge working with the tokengroups attribute for users -- though that would be ADSI work rather than strictly LDAP. But the results could be used with how you're using LDAP on the Untangle box. Just a thought. ;-)

Being able to report by group -- as well as by individual -- would also be handly.

Can you elaborate for me the common screwups with nestings with Directory Enabled services you've seen? I've put together a few complex nestings, but am always looking for more strangeness to add.

Currently the implementation only supports individual users within a tree structure (included nested ous) for Active Directory.

There is an request for adding by groups and adding by OUs support filed, but no eta on when the functionality will be added.

Can you elaborate for me the common screwups with nestings with Directory Enabled services you've seen?

The common screwup is just not working with nestings at all. This comes from using simple ADSI group membership code, instead of working with the tokengroups directory attribute for user objects. A typical approach here (http://www.awprofessional.com/articles/article.asp?p=474649&seqNum=6&rl=1) or here (scroll down a bit) (http://forum.java.sun.com/thread.jspa?threadID=580113&tstart=60) or here (http://www.irishdev.com/blogs/jbrennan/archive/2004/11/17/292.aspx) or here (http://forum.springframework.org/showthread.php?p=121975). See 4, 5 & 8 here (http://www.rlmueller.net/freecode1.htm) or see here (http://r3jkh.com/code/articles/155.aspx), for that matter.

In short, if an organization already has security group nestings per best practice, it's very likely that what they'll want to do with Untangle will map well to those nestings or, perhaps as likely, that they'll add two or more new groups specifically for Untangle use and then add GROUPS as members of those new groups. It's at this point that an admin trying Untangle would notice whether nestings work or not, and balk.

Ideally, Untangle should allow for both nested groups AND OUs. However, if you have to select one or the other, security groups would almost certainly be the more useful.

we have over 100 security groups to determine how users access and use resources in the company, and they're pretty intelligently nested. Well . . . I can think of some exceptions. ;-)

I should clarify -- that's in the company I work for. In the church I'm supporting, there will be relatively few users (less than 20, I'm sure), and under 11 machines. Even so, even for 20 users I'd normally bring my sense for best practices to the network and set 'em up so the business logic is reflected in the security groups for resource access and group policy application variations -- then hope to use that as well for Untangle.

This allows for administration of Untangle policy and rack application without ever having to touch Untangle. That's important. I don't need to touch shared printers to change access to them, I don't need to touch shared folders to change access to them, I don't need to touch group policies to change access to them, I don't need to touch computers to change access to them as local admin, and so forth. I just remove or add a user to a domain group that has a particular kind of access to a network asset.

Empowering admins excites them. I've chosen our vendors largely on the basis of how much power I feel shooting out my fingertips when I plug their product into our flawless architecture, and see no problem with integrating 'em. ;-)

For roberte66 and Mark84:

We did discover some needed changes in the AD setup documentation on the wiki. Key pieces were left out regarding Router, namely that is MUST be ON, whether you want to use Untangle as a router or bridge.

If you want to use transparent bridge mode, you must leave Router ON but disable NAT and DHCP. Also, DNS Forwarding must be ENABLED if using bridge mode.

Try these settings and let us know if you still have any issues....

Thanks for helping us correct this error!

Any chance router must be on for different racks to work with policies, as well? I haven't gotten that to work yet, either.

Any chance router must be on for different racks to work with policies, as well? I haven't gotten that to work yet, either.

Absolutely correct. AD integration is much the same for custom policies and reports.

For roberte66 and Mark84:

We did discover some needed changes in the AD setup documentation on the wiki. Key pieces were left out regarding Router, namely that is MUST be ON, whether you want to use Untangle as a router or bridge.

If you want to use transparent bridge mode, you must leave Router ON but disable NAT and DHCP. Also, DNS Forwarding must be ENABLED if using bridge mode.

Try these settings and let us know if you still have any issues....

Thanks for helping us correct this error!

Thanks vanpatrick for the excellent reply. We will implement these changes and let you know how we go.:)

Any chance router must be on for different racks to work with policies, as well? I haven't gotten that to work yet, either.

The Router, in general, along with the Remote Access Portal, OpenVPN, Attack Blocker and Untangle Reports are Services of the Untangle Server.

Whatever router settings you have set up apply to all racks and all custom policies.

The Router, in general, along with the Remote Access Portal, OpenVPN, Attack Blocker and Untangle Reports are Services of the Untangle Server.

Whatever router settings you have set up apply to all racks and all custom policies.

Right. My issue (http://forums.untangle.com/showthread.php?t=104), though, is that I can't get custom policies to work (at least, not when I base the application of specific racks on an IP range). I'm wondering whether the system MUST have routing enabled -- whether it's "in use" or not -- in order to get custom policies to differentiate racks for clients based on IP ranges (or any other criteria, for that matter).

Haven't been on-site to try this yet. Will.

Meet the newest entry to urlblacklist.com ... Mel McDoogle and the website he would like you to go to if only it wasn't added to blacklists.

For roberte66 and Mark84:

We did discover some needed changes in the AD setup documentation on the wiki. Key pieces were left out regarding Router, namely that is MUST be ON, whether you want to use Untangle as a router or bridge.

If you want to use transparent bridge mode, you must leave Router ON but disable NAT and DHCP. Also, DNS Forwarding must be ENABLED if using bridge mode.

Try these settings and let us know if you still have any issues....

Thanks for helping us correct this error!

This doesn't apply to 5.1, right?
I haven't been able to make this thing work! :mad: