Targeted users to be filtered and monitored by GoGuardian Gateway will be required to sign into a captive portal using their domain-managed credentials via LDAP authentication. Setting up GoGuardian's connection to the server properly via LDAP is a vital step that must be completed for GoGuardian Gateway to allow users to access the internet.
If Active Directory is currently synced with Google Admin Console, leveraging Google's LDAP servers/configuration can simplify the setup process and requires no additional port forwarding or network configuration. Adding LDAP clients via Google Admin Console: https://support.google.com/a/answer/9048434.
General Settings for LDAP
The fields in the above screenshot will need to be completed specified to the domain which manages user credentials for the desired managed users. If the managed domain is bestschool.org, enter "bestschool.org" in the domain field, DC=bestschool,DC=ORG as the LDAP Base DN.
The host field will be the WAN IP address for the server. This address should match results when running the cmd prompt nslookup myip.opendns.com. resolver1.opendns.com as the non authoritative answer's address field.
The LDAP port number will always be 636 unless configured otherwise. GoGuardian only allows SSL or LDAPS to ensure maximum security for the domain. Microsoft has a detailed guide on how to configure LDAPS for Active Directory HERE.
If LDAPS is configured via SSL and port 636 is specified, check the boxes for "Connect with SSL" and for "Skip StartTLS." If the LDAP connection is secured via TLS, keep the box unchecked.
User Filter Expression:
The User Filter Expression field will be required to specify a field for managed users to sign in with. For Active Directory, a common identifier for user accounts is the SamAccountName. For a detailed list of account fields, leverage Powershell to query all managed users on the domain.
After opening powershell as an administrator running the cmdlet Get-ADUser to perform a search against multiple user objects.
From the Start Menu, type "PowerShell" then click Windows PowerShell
In the prompt (C:\PS>) type the following command:
Get-ADUser -Filter * -SearchBase "DC=(YOURDOMAIN),DC=(COM)"
This returns an array of all users in the container "DC=(YOURDOMAIN),DC=(COM)" (yourdomain.com)
Authentication Credentials for LDAP
A directory-managed account username and password capable of binding and querying all desired managed user credentials will need to be entered which GoGuardian will log in as to bind the target LDAP server and validate user credentials when entered by end users to access internet filtered and monitored by GoGuardian Gateway.
Enter the username and password for a domain account with permissions to bind and query the LDAP server. Account access can be tested/confirmed within LDAP tools such as LDP. If bind fails in the diagnostic at the top right corner of the LDAP configuration within GoGuardian, leverage LDP to test the user's ability to bind to and query the directory.
- Select Start and search for LDP.exe or open a command prompt in windows and type ldp to launch LDP.exe.
- Select Connection > Connect.
- In the Server text box, type the name of the AD server.
- Assuming the LDAP is an LDAPS configured for using SSL or TLS, in the Port text box, type 636, and select the SSL checkbox
- Click OK.
- Select Connection > Bind from the LDP panel
- Enter a username with the authority to bind the LDAP and its password, along with the domain. Ensure “Bind with credentials” is selected.
- A successful message confirming authentication as the user should appear. This user should be able to navigate to View > Tree and click OK to browse within the structure.
NOTE: Diagnostics may fail due to firewall or content filtering rules. Ensure port forwarding is enabled for all TCP traffic to/from your server's WAN address and specified port (default 636 for SSL) from GoGuardian servers: 126.96.36.199, 188.8.131.52, and 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124 Firewall configuration is not necessary for Google LDAP configurations.