Results 1 to 4 of 4

Thread: LDAP Binds

  1. #1
    Newbie
    Join Date
    Aug 2016
    Posts
    5

    Default LDAP Binds

    So we've been using Directory Connector for a while with the login script. Its been working fine.

    Looking at my domain controller the other day and I notice it complaining about there being clear text simple binds coming from Untangle. It is authenticating users from captive portal and the credentials input on the authentication tab. Looking at the Directory Connector Authentication page I see that it supports SSL but that requires a Certificate Authority server which seems overkill just to secure this module communication with the domain controller. I'm trying to weigh the need for Directory Connector now as I don't see myself spinning up an additional virtual machine to get this to be secure.

    Is anyone familiar with a work around like a self signed certificate?

    Would installing the Monitor Application instead of the logon script affect this?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,038

    Default

    Stop using the login script, start using the logon monitor: https://wiki.untangle.com/index.php/..._Monitor_Agent

    You install that on your domain controller, and it reads the security event log for events and posts the data to Untangle. Now Untangle isn't even handling an authentication event. That is, unless you make captive portal authenticate those users a second time, but by default it'll just work off the existing login data presented by the monitor agent.

    But even the script doesn't log people in... It just collects IP addresses to tell Untangle where people are. So if you want those login attempts to stop, you need to stop using RADIUS for the captive portal for your domain users. Which again, why make them login? They're already logged in? There's a way to bypass logins on sessions already logged in... but it escapes me at the moment.
    Last edited by sky-knight; 12-13-2019 at 01:47 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Aug 2016
    Posts
    5

    Default

    Captive portal aside, you're saying with the Login Monitor installed LDAP binds will stop?

    The way our current captive portal is setup is to block network access to anyone who hasn't been authenticated against our domain users
    Active Directory group. What happens sometimes is someone pulls out a laptop that still has a user logged on Untangle Can't verify their presence in AD as no recent logon event has occurred and makes them re-authenticate.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,038

    Default

    Yeah, which is the way it must be. The monitor is a better mechanism than the script, because it just pulls login events from the DC's security log. You're not waiting on machines to run the script, which can honestly be easily fooled.

    But, if the Portal has to pass a login to the AD server, I'm pretty sure that's where the errors you're getting come from. And I'm sorry, it seems like I should know how to fix it but I just can't remember. I'd call Untangle Support on that one, you have the paid modules and they can help you resolve those errors.

    But you still probably want to stop using the script, the monitor is just a cleaner way to handle that process.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2