With the Active Directory1) Connector, you can use your existing Windows users, groups and passwords on your ClearOS Business system. This allows you to manage users and groups in one location, as well as apply policies in a consistent manner.
If you are interested in implementing a single sign-on content filter solution using ClearOS, please take a look at the Content Filtering with Active Directory Implementation Guide. The guide is also helpful for getting an understanding of how to implement the Active Directory Connector with ClearOS apps, so even if content filtering is not your cup of tea, the guide might still be worth a look.
With the Active Directory Connector, all user accounts and groups are subordinated to the AD system. Because ClearOS uses groups for access to services this means that there are special groups that you must make on your Active Directory Domain Controller. These special groups are called plugin groups.
You must make, on your AD server, the corresponding groups and assign the users you want access to ClearOS services to those groups. For example, create a group on AD called 'web_proxy_plugin' and then assign all the users on your domain that you'd like to have access to the proxy server.
Once these groups replicate to ClearOS, you will be able to use the domain username and passwords against the ClearOS server for services with plugin groups.
The Active directory Connector does not work directly with some apps such as Kopano and Radius. Radius can be tweaked from the command line to work with the AD Connector. To use Kopano, you will require help directly from Kopano's support and is neither tested or supported by ClearCenter.
If your system does not have this app available, you can install it via the Marketplace.
You can find this feature in the menu system at the following location:
Server|Directory|Active Directory Connector
Before configuring the Active Directory Connector, please assign your ClearOS' DNS settings to resolve DNS from the Active Directory Server(s) within your Active Directory domain. It is important that ClearOS use the DNS of the domain to properly resolve the hostname(s) of the domain for authentication purposes.
Essentially there are 3 ways of doing DNS resolution.
The most basic is to have the AD DC doing all DNS resolution for all LAN machines. To implement this you would configure the ClearOS DHCP server to hand out the AD DC server(s) IP address as the DNS Server
Better is to use a “Split Horizon DNS”. In this scenario the AD DC just looks after the DNS resolution for LAN devices. ClearOS does the DNS resolution for all external names. This is set up using the AD DNS Server 1/2 settings below
The last way is a variation on the second and you must use it if you are using Gateway Management. It also uses Split Horizon DNS but it is configured by using a Rainbow/Forwarding list in Gateway Management.
You must not configure Split Horizon DNS and Gateway Management Rainbow/Forwarding Lists at the same time.
It is a good idea to have ClearOS use the AD DC server as the clock source or vice-versa instead of the clocks on the internet. Even if you have the clocks of the AD server set to the same internet clocks, it is possible for it to mess up and it is better to have the clocks between the AD server and ClearOS to be the same and wrong together than for one to be wrong and the other to be right.
Clocks on the Active Directory server and ClearOS need to be synchronized. If the clock skew is too large, the connection will fail.
When you visit the Active Directory Connector web-based configuration page for the first time, you will be shown a number of options needed to connect your ClearOS Professional system to your directory server. There are a lot of little things that can trip up this process, so please read review this guide if you run into trouble.
The following information is required to allow ClearOS to join the Active Directory domain.
The Windows Domain is the one-word domain configured in Active Directory.
The ADS Realm is the full DNS name for your domain. You can find this parameter by reviewing the My Computer / Properties information on a system already joined to the Windows domain. If you are a command prompt kind of person, you can also find this information on the Windows command line:
If you are using an internal DNS name (e.g. myrealm.local), then please make sure your ClearOS system is configured to resolve this hostname. You can either add this name to the Default Domain in the IP Settings or make sure ClearOS is pointing to an internal DNS server on the IP Settings configuration.
AD DNS Server 1/2
This allows you to set up a split horizon DNS server, i.e one where ClearOS is the main DNS server, but the AD DC does the DNS resolution for the domain. This should be the IP address of your Domain Controller. You can add up to 2 addresses. If you need more you will need to do it via the command line.
If you are using Gateway Management, do not set AD DNS Server 1 or 2 and do not set up a split horizon DNS using the command line. Instead create a Rainbow/Forwarding List in Gateway Management.
The Domain Controller is a DNS hostname for one of the domain controllers in your domain, preferably your Global Catalog server. You should use the hostname of the server and NOT the IP address. It is useful to ping the hostname from a command prompt to ensure that you have the proper DNS resolution before joining the domain.
The server settings are. The Server Name is the one word name for the ClearOS system (e.g. gateway) while the Server Comment is a description of the system (e.g. ClearOS Internet Gateway).
The DNS Server also needs an entry for “Server Name”.“ADS REALM” and “Server Name” pointing to your ClearOS LAN IP.
Any account that is permitted to join systems to the Windows Domain can be specified for the Domain Administrator and Password settings.
Reviewing User and Groups
Once you have connected ClearOS Professional to your Active Directory system, you will be able to review users and groups in the ClearOS web-based administration tool. It can take up to a minute or two for the first directory synchronization to occur, but subsequent connections are much quicker.
To review users go System|Accounts|Users
To review groups go System|Accounts|Groups
ClearOS App Policies
Any application in ClearOS that requires user authentication needs to have a corresponding group in Active Directory. Create those groups now on Active Directory and start assigning users in Active Directory to these groups. This allows you to control which users have access to the apps on the ClearOS system. For example, any user in the web_proxy_plugin group in Active Directory will be able to access the Web Proxy on ClearOS.
When you visit an app page that requires user authentication, you will see an App Policy widget as shown in the screenshot below:
You can view members of this app policy by clicking on the . To change the group membership, please do so in your Active Directory system. Here is a list of some of the apps that use user and and group information from Active Directory:
Connecting to Active Directory when not on the same subnet or logical network can prove difficult. Some of what the process does includes broadcast type functions when certain services or ports are unavailable.
It is important that the connection between your ClearOS server and your AD server is reliable and persistent. The Active Directory Connector has some technical requirements for your ClearOS to join the domain most of which are irrelevant if they exist on the same network but cause issues if it needs to traverse firewalls for certain ports.
Among the several requirements are:
“Before attempting to join a machine to the domain, verify that … the target domain controller … is capable of being reached via ports 137/udp, 135/tcp, 139/tcp, and 445/tcp.”
Additional ports might include any AD services listed here.
Additionally, ClearOS should ONLY use the Active Directory server as its DNS server. This means that when connectivity is down between ClearOS and its AD controller, it will not be able to function well as a DNS server itself.