With the Active Directory1) Connector, you can use your existing Windows users, groups and passwords on your ClearOS Professional system. This allows you to manage users and groups in one location, as well as apply policies in a consistent manner.
If you are interested in implementing a single sign-on content filter solution using ClearOS, please take a look at the Content Filtering with Active Directory Implementation Guide. The guide is also helpful for getting an understanding of how to implement the Active Directory Connector with ClearOS apps, so even if content filtering is not your cup of tea, the guide might still be worth a look.
With the Active Directory Connector, all user accounts and groups are subordinated to the AD system. Because ClearOS uses groups for access to services this means that there are special groups that you must make on your Active Directory Domain Controller. These special groups are called plugin groups.
You must make, on your AD server, the corresponding groups and assign the users you want access to ClearOS services to those groups. For example, create a group on AD called 'web_proxy_plugin' and then assign all the users on your domain that you'd like to have access to the proxy server.
Once these groups replicate to ClearOS, you will be able to use the domain username and passwords against the ClearOS server for services with plugin groups.
If your system does not have this app available, you can install it via the Marketplace.
You can find this feature in the menu system at the following location:
<navigation>Server|Directory|Active Directory Connector</navigation>
Before configuring the Active Directory Connector, please assign your ClearOS' DNS settings to resolve DNS from the Active Directory Server(s) within your Active Directory domain. It is important that ClearOS use the DNS of the domain to properly resolve the hostname(s) of the domain for authentication purposes. Secondly, it is a good idea to have ClearOS use the clock of the server instead of the clocks on the internet. Even if you have the clocks of the AD server set to the same internet clocks, it is possible for it to mess up and it is better to have the clocks between the AD server and ClearOS to be the same and wrong together than for one to be wrong and the other to be right.
When you visit the Active Directory Connector web-based configuration page for the first time, you will be shown a number of options needed to connect your ClearOS Professional system to your directory server. There are a lot of little things that can trip up this process, so please read review this guide if you run into trouble.
The following information is required to allow ClearOS to join the Active Directory domain.
The Windows Domain is the one-word domain configured in Active Directory.
The ADS Realm is the full DNS name for your domain. You can find this parameter by reviewing the My Computer / Properties information on a system already joined to the Windows domain. If you are a command prompt kind of person, you can also find this information on the Windows command line:
If you are using an internal DNS name (e.g. myrealm.local), then please make sure your ClearOS system is configured to resolve this hostname. You can either add this name to the ClearOS DNS Server or make sure ClearOS is pointing to an internal DNS server on the IP Settings configuration.
The Domain Controller is a DNS hostname for one of the domain controllers in your domain, preferably your Global Catalog server. You should use the hostname of the server and NOT the IP address. It is useful to ping the hostname from a command prompt to ensure that you have the proper DNS resolution before joining the domain.
The server settings are. The Server Name is the one word name for the ClearOS system (e.g. gateway) while the Server Comment is a description of the system (e.g. ClearOS Internet Gateway).
Any account that is permitted to join systems to the Windows Domain can be specified for the Domain Administrator and Password settings.
Once you have connected ClearOS Professional to your Active Directory system, you will be able to review users and groups in the ClearOS web-based administration tool. It can take up to a minute or two for the first directory synchronization to occur, but subsequent connections are much quicker.
Any application in ClearOS that requires user authentication needs to have a corresponding group in Active Directory. Create those groups now on Active Directory and start assigning users in Active Directory to these groups. This allows you to control which users have access to the apps on the ClearOS system. For example, any user in the web_proxy_plugin group in Active Directory will be able to access the Web Proxy on ClearOS.
When you visit an app page that requires user authentication, you will see an App Policy widget as shown in the screenshot below:
You can view members of this app policy by clicking on the . To change the group membership, please do so in your Active Directory system. Here is a list of some of the apps that use user and and group information from Active Directory:
Connecting to Active Directory when not on the same subnet or logical network can prove difficult. Some of what the process does includes broadcast type functions when certain services or ports are unavailable.
It is important that the connection between your ClearOS server and your AD server is reliable and persistent. The Active Directory Connector has some technical requirements for your ClearOS to join the domain most of which are irrelevant if they exist on the same network but cause issues if it needs to traverse firewalls for certain ports.
Among the several requirements are:
“Before attempting to join a machine to the domain, verify that … the target domain controller … is capable of being reached via ports 137/udp, 135/tcp, 139/tcp, and 445/tcp.”
Additional ports might include any AD services listed here.
Additionally, ClearOS should ONLY use the Active Directory server as its DNS server. This means that when connectivity is down between ClearOS and its AD controller, it will not be able to function well as a DNS server itself.