If your network uses a Lightweight Directory Access Protocol (LDAP) or Active Directory authentication (AD) server, your LDAP domain users can use the LDAP or AD authentication service to be authenticated in the Barracuda Web Security Gateway system. The Barracuda Web Security Gateway can also enable you to look up users by organizational units you have defined on your LDAP server when creating exceptions to block/accept policy.
Integration with External Systems and Services - Security Considerations
The Barracuda Web Security Gateway integrates with other systems and services in your environment, like your LDAP, NTLM or Kerberos servers. Barracuda recommends creating separate service accounts for these integration points, rather than personal accounts, and then using the principle of least privilege. This integration strategy is part of an overall security policy. For more information, see Security for Integrating with Other Systems - Best Practices.
To enable LDAP user authentication, from the USERS/GROUPS > Authentication page, in the LDAP tab, provide information about connecting to the LDAP server, binding to the LDAP server, encryption type and LDAP attributes. Click the Help button on the page for detailed steps.
Advanced LDAP Configuration
These settings should only be configured by advanced users, and are set on the USERS/GROUPS > Configuration page. Contact Barracuda Technical Support with questions.
- LDAP Server Timeout – When an LDAP server is slow in responding to search requests, increase this timeout value. Default is 30 seconds.
- LDAP Full Sync – Use this setting to specify how many times the Barracuda Web Security Gateway does a full sync of users and groups against your authentication service in a day time frame. Default setting is Twice. If this setting is Disabled, then the Barracuda Web Security Gateway does not sync users and groups against your authentication service.
- Require API Access for User Auth – Setting to Yes means that, when authenticating users with the Barracuda Web Security Gateway's third-party authorization API, the request must come from an IP address within the Allowed API IP/Range and include the API Password, both as defined on the BASIC > Administration page.