DansGuardian Documentation Wiki

You are here: Main Index » using_ident_for_user_identification


|

Wiki Information

Differences

This shows you the differences between the selected revision and the current version of the page.

using_ident_for_user_identification 2009/02/11 17:30 using_ident_for_user_identification 2010/08/31 23:40 current
Line 3: Line 3:
===== Introduction ===== ===== Introduction =====
You can use Ident to identify your users based on log in name.  This simplifies management so you don't have to go around matching IP addresses to computers.  Of course it also allows you to add users to groups based on their username. You can use Ident to identify your users based on log in name.  This simplifies management so you don't have to go around matching IP addresses to computers.  Of course it also allows you to add users to groups based on their username.
- 
===== Advantages of Ident ===== ===== Advantages of Ident =====
Using Ident for user authentication has several benefits over the SSL or proxy login methods - primarily that the user does not need to enter username and password credentials to access DansGuardian. Instead, an Ident server running on the client system will automatically provide the Windows username to DansGuardian. Using Ident for user authentication has several benefits over the SSL or proxy login methods - primarily that the user does not need to enter username and password credentials to access DansGuardian. Instead, an Ident server running on the client system will automatically provide the Windows username to DansGuardian.
 +===== Disadvantages of Ident =====
 +
 +One disadvantage is the ident protocol is very easy for a user who's broken an end user computer (or brought a computer in from home) to "spoof". If your user population is quite hostile, the minimal security provided by ident auth may not be acceptable.
 +
 +Another disadvantage is if DansGuardian can't contact what should be an extant Ident daemon, DansGuardian processing will be delayed for an unacceptably long time (perhaps several minutes). This is normally not a problem where you control all the end user computers, provided you rigorously follow these two recommendations:
 +
 +  - Allow port 113 through all internal software firewalls. Don't treat the "Windows Firewall" as nothing more than a simple "all\ on" or "all\ off" capability; you may need to explicitly allow port 113 even though the firewall is "on". To do this you may need to select buttons or tabs labelled with things like [Exceptions] or [Advanced].
 +  - Allow port 113 through all internal network infrastructure devices (hubs, routers, etc.). Some network infrastructure devices by default allow all traffic indiscriminately, but others either by default or because of specific (but probably forgotten) settings, disallow "uncommon" types of traffic, which unfortunately often includes port 113 traffic.
 +
 +(Obviously, software firewalls on computers brought in from home may incorrectly firewall port 113 beyond your control. In this situation, "ident" auth may not be suitable, as its use may always be problematic no matter what you do.)
 +
 +In case you want to know the technical details: DansGuardian operation using ident auth will proceed immediately and correctly so long as either connections reach a legitimate ident daemon or are rejected by a network packet with the RST bit set. But DansGuardian operation using ident auth will be dramatically delayed and jerky if it receives absolutely no response at all (not even a RST) to its port 113 traffic (or if if connects to a faulty ident daemon which later becomes unresponsive - fortunately this is very uncommon).
 +
 +Note that unlike earlier versions of Windows, Windows Vista and Windows 7 no longer reject packets sent to port 113 if no running Ident server is found.  This will result in no website being displayed in the browser.  Consequently all machines must have an Ident server installed if you use Ident on your network.
-===== IDENT Servers ===== +===== Ident Daemons ===== 
-In order to use Ident for authentication, an Ident server application must be installed on all client systems. Here are some IDENT servers that can be installed on your workstations:+In order to use Ident for authentication, an Ident daemon/server application must be installed on all workstation computers. Here are some Ident servers that can be installed on your workstations:
-   +**Windows 2000+**   
-  * Windows Ident Server 2.0 (Windows XP, 2003, Vista, Server 2008) (22 June 2008) - http://rndware.info/content/Windows+Ident+Server +  * Windows Ident Server 2.0 (Windows XP, 2003, Vista, Server 2008) (22 June 2008) - http://rndware.info/products/windows-ident-server.html - Seems to run under Windows 7. //Does not pull up actual username when running as a service - instead it shows the username of the user running the service (usually "system")// 
-  * Retina Scan IDENT (Last Update: Nov 29 2006) - https://sourceforge.net/projects/retinascan +  * Retina Scan IDENT (Last Update: vsn 0.3.0 08 Aug 2009) - https://sourceforge.net/projects/retinascan - supports fast user switching. Works on Vista but not Windows 7. //Does not pull up actual username when running as a service - instead it shows the username of the user running the service (usually "system")// 
-  * Identdwin (Last Update: 2003) - http://identdwin.sourceforge.net/identd-en.html+  * Identdwin (Last Update: 2003) - http://identdwin.sourceforge.net/identd-en.html. Although not updated for many years, this supports fast user switching on Windows 7 if you install the "NT" version in the download.
  * Microsoft Windows XP/2000/NT - http://freeware.teledanmark.no/identd (no longer available)   * Microsoft Windows XP/2000/NT - http://freeware.teledanmark.no/identd (no longer available)
Line 21: Line 34:
**Apple** **Apple**
 +  * Apple OS-X 10.0-10.2 - ident server is included in the OS - see below.
  * Apple OS-X 10.3 and higher - http://www.macmax.org/rubrique.php3?id_rubrique=21   * Apple OS-X 10.3 and higher - http://www.macmax.org/rubrique.php3?id_rubrique=21
-===== Installation Instructions =====+===== Workstation Installation Instructions =====
== Windows 9x == == Windows 9x ==
-On Windows 9x machines, simply extract the identd.exe program and set it to run via the Registry Run key or via a network login script. You will need to run it as follows:  +On Windows 9x machines, simply extract the identd.exe program (link provided above) and set it to run via the Registry Run key or via a network login script. You will need to run it as follows:  
-<pre>identd.exe -n -r 0</pre>+<code>identd.exe -n -r 0</code>
    * The -n turns off port-based security which means that it will return an answer no matter where the request is coming from (thus breaking RFC-compliancy, but hey, it works).     * The -n turns off port-based security which means that it will return an answer no matter where the request is coming from (thus breaking RFC-compliancy, but hey, it works).
-    * The -r 0 returns the actul username of the person currently logged into the machine.+    * The -r 0 returns the actual username of the person currently logged into the machine.
== XP/2000/NT == == XP/2000/NT ==
 +**Note:** Make sure that if you have a firewall enabled on your workstations (such as the one included in windows XP SP2) that you allow ident (port 113 - TCP) through the firewall.
 +
On Windows XP/2000/NT just run "identd -install" as an administrator and double-check On Windows XP/2000/NT just run "identd -install" as an administrator and double-check
the Services applet in Control Panel to make sure it loads automatically the Services applet in Control Panel to make sure it loads automatically
Line 40: Line 56:
Neither of the above will work with multi-user systems like Windows Neither of the above will work with multi-user systems like Windows
Terminal Server, Citrix Metaframe and the like, and might have problems Terminal Server, Citrix Metaframe and the like, and might have problems
-with XP and "fast user switching".+with XP and "fast user switching". Retina Scan Identd is written to support "fast user switching" and from version 0.3.0 supports Windows Vista and XP.
Once installed, the Ident service must be manually started or the client system rebooted. Once installed, the Ident service must be manually started or the client system rebooted.
- 
-**Note:** Make sure that if you have a firewall enabled on your workstations (such as the one included in windows XP SP2) that you allow ident (port 113) through the firewall.  If you don't DansGuardian will not allow you to browse the web). 
== Linux/Unix == == Linux/Unix ==
Line 58: Line 72:
http://www.macmax.org/rubrique.php3?id_rubrique=21 http://www.macmax.org/rubrique.php3?id_rubrique=21
-=== Enabling ident in DansGuardian ===+===== Enabling ident in DansGuardian =====
DansGuardian can then be configured to use Ident authentication in the dansguardian.conf file.  DansGuardian can then be configured to use Ident authentication in the dansguardian.conf file. 
Line 102: Line 116:
===== Links ===== ===== Links =====
  * https://support.smoothwall.net/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=150   * https://support.smoothwall.net/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=150
-