The objectclass attributes on an LDAP object define the type of object an entry is. For example, a user entry might have an objectclass attribute value of person while a group
entry might have an objectclass attribute value of group.
The objectclass attribute values defined on a particular entry can differ among LDAP servers. The objectclass attribute values are attribute values only, they are not DNs of any kind.
Currently, the objectclass attribute values are used by Blue Coat during a VPM browse of an LDAP server. If an administrator wants to browse the groups in a particular realm, the SG appliance searches the LDAP server for objects that have objectclass attribute values matching those in the group list and in the container list. The list of objectclass
attribute values in the container list is needed so that containers that contain groups can be fetched and expanded correctly.
To customize LDAP objectclass attribute values:
1. Select Configuration > Authentication > LDAP > LDAP Objectclasses.
2. From the Realm name drop-down list, select the LDAP realm whose objectclasses you want to modify.
3. From the Object type drop-down list, select the type of object: container, group, or user. 4. To create or edit an object for the specified objectclass, click New or Edit. (The only
difference is whether you are adding or editing an objectclass value.) 5. Enter or edit the objectclass, and click OK.
6. Select Apply to commit the changes to the SG appliance.
Defining LDAP General Realm Properties
The LDAP General page allows you to indicate whether an LDAP server is configured to expect case-sensitive usernames and passwords, the length of time that credentials are cached, the display name, and if you want to use a special virtual host for this realm.
To configure general LDAP settings:
1. Select Configuration > Authentication > LDAP > LDAP General.
2. From the Realm Name drop-down list, select the LDAP realm for which you want to change properties.
3. If needed, give the LDAP realm a display name. The default value for the display name is the realm name. The display name cannot be longer than 128 characters and it cannot be null.
4. If the LDAP server is configured to expect case-sensitive usernames and passwords, select Case sensitive.
5. Specify the length of time in seconds that user and administrator credentials received from the LDAP server are cached. Credentials can be cached for up to 3932100 seconds. The default value is 900 seconds (15 minutes).
6. You can specify a virtual URL based on the individual realm. For information on the virtual URL, see Chapter 3: "Controlling Access to the Internet and Intranet" on page 23.
7. Select Apply to commit the changes to the SG appliance. Related CLI Syntax to Manage an LDAP Realm
❐ To enter configuration mode:
SGOS#(config) security ldap create-realm {ad | iplanet | nds | other} realm_name [base_dn] primary_host [primary_port]
#(config) security ldap edit-realm realm_name
❐ The following subcommands are available:
#(config ldap realm_name) alternate-server host [port] #(config ldap realm_name) cache-duration seconds
#(config ldap realm_name) case-sensitive {disable | enable} #(config ldap realm_name) default-group-name default_group_name #(config ldap realm_name) display-name display_name
#(config ldap realm_name) distinguished-name user-attribute-type
user_attribute_type
Note: If you specify 0, this increases traffic to the LDAP server because each authentication request generates an authentication and authorization request to the server.
promote | remove} {base_dn | clear} #(config ldap realm_name) exit
#(config ldap realm_name) membership-attribute attribute_name #(config ldap realm_name) membership-type {group | user}
#(config ldap realm_name) membership-username {full | relative} #(config ldap realm_name) no alternate-server
#(config ldap realm_name) no default-group-name #(config ldap realm_name) no membership-attribute
#(config ldap realm_name) objectclass container {add | remove} {container_objectclass | clear}
#(config ldap realm_name) objectclass group {add | remove} {group_objectclass | clear}
#(config ldap realm_name) objectclass user {add | remove} {user_objectclass | clear}
#(config ldap realm_name) protocol-version {2 | 3}
#(config ldap realm_name) referrals-follow {disable | enable} #(config ldap realm_name) rename new_realm_name
#(config ldap realm_name) search anonymous {disable | enable}
#(config ldap realm_name) search dereference {always | finding | never | searching}
#(config ldap realm_name) search encrypted-password
encrypted_password
#(config ldap realm_name) search password password #(config ldap realm_name) search user-dn user_dn
#(config ldap realm_name) server-type {ad | iplanet | nds | other} #(config ldap realm_name) spoof-authentication {none | origin | proxy} #(config ldap realm_name) ssl {disable | enable}
#(config ldap realm_name) ssl-verify-server {disable | enable} #(config ldap realm_name) timeout seconds
#(config ldap realm_name) validate-authorized-user {disable | enable} #(config ldap realm_name) view
#(config ldap realm_name) virtual-url url
Creating the CPL
Be aware that the examples below are just part of a comprehensive authentication policy. By themselves, they are not adequate for your purposes.
Be aware that the default policy condition for these examples is allow. The default policy condition on new SGOS 5.x systems is deny.
❐ Every LDAP-authenticated user is allowed access the SG appliance.
<Proxy>
authenticate(LDAPRealm)
Note: Refer to Volume 11: Blue Coat SG Appliance Content Policy Language Guide for details about CPL and how transactions trigger the evaluation of policy file layers.
<Proxy>
authenticate(LDAPRealm) <Proxy>
group=”cn=proxyusers, ou=groups, o=myco” deny
❐ A subnet definition determines the members of a group, in this case, members of the Human Resources department.
<Proxy>
authenticate(LDAPRealm) <Proxy>
Define subnet HRSubnet 192.168.0.0/16 10.0.0.0/24 End subnet HRSubnet
[Rule] client_address=HRSubnet url.domain=monster.com url.domain=hotjobs.com deny . . . [Rule] deny
Using a Local realm is appropriate when the network topography does not include external authentication or when you want to add users and administrators to be used by the SG appliance only.
The Local realm (you can create up to 40) uses a Local User List, a collection of users and groups stored locally on the SG appliance. You can create up to 50 different Local User Lists. Multiple Local realms can reference the same list at the same time, although each realm can only reference one list at a time. The default list used by the realm can be changed at any time.
This section discusses the following topics: