pGina is a pluggable, open-source credential provider that enables you to log into Windows using LDAP credentials. This discussion demonstrates how you can install and configure pGina so that you can log into your Windows computer using LogonBox Directory credentials.
If you have not installed LogonBox Directory, now is the time to do so. This discussion assumes you have a server installed, configured, and ready to go with users waiting to log into Windows.
Head over to the pGina website at http://pgina.org/ and download. I am installing the 184.108.40.206 version, which, while marked as unstable, appears to have been in use since 2014. This version also supports TLS for LDAP connections so we can ensure our communication remains private.
Run the installer, accepting all the usual prompts such as software license and installation directory. When it asks you to choose components, mark the "Visual C++ redistributable package" option to install it.
Other than another prompt to accept another software license for the Visual C++ redistributable package, everything should proceed, and you should have completed the installation of pGina.
Navigate to the installation directory and start the pGina.Configuration command. It should look something like this.
It's worth checking that the service status is showing as Running.
Before you head off configuring pGina to connect to your directory there is a few values you will need to jott down. These are:
This will be the FQDN of your LogonBox Directory. This hostname must be resolvable from each client you install pGina on. If your users will be accessing the directory via the Internet then make sure you have firewalled and port-forwarded the directory from your public hostname/IP address.
Directory LDAP DN
The LDAP Distinguished Name is a uniquely formatted string that provides a way to resolve elements in the LDAP. You will need to know the root DN of your server. If you have not changed this, then it will be
Directory LDAP Port
Unless you have changed the default LDAPS interface, the port value will be 636 for the ldaps:// protocol.
In order for pGina to connect to the LogonBox Directory it is recommended that you create a dedicated service account with just the rights needed to search the user directory.
Create a new account in your LogonBox Directory, giving it a suitable name, for example, I will use in the following configuration serviceAccount as the username.
Goto User Directory menu and click the Create button at the bottom of the table. Enter the username and provide a description in the Fullname field to identify the account later. Set the password in the Password tab.
Save the user and take a note of the password you have set.
Next, go to the Security and Permissions menu in your LogonBox Directory and create a new Role, called Service Account. Add the user you just created to it in the Users field in the Principals tab.
Under the Permissions tab, add the LDAP Read permission and save the Role.
In the plugin selection tab, highlight the LDAP plugin in "Current Plugins" and ensure Authentication and Authorization options are checked (see image).
Now click on Configure
There are a number of items here to configure. Using the information you have already ascertained. Complete the following fields.
LDAP Host: <Your LogonBox Directory FQDN>
LDAP Port: 636
Encryption: SSL (ldaps://)
Assuming you did not change the server DN and you created the service account as above then enter the full DN of the service account in the Search DN field.
Search DN: CN=serviceAccount,CN=Users,DC=System,DC=local
Search Password: <The password for your service account>
Whilst this discussion does not concern itself with group membership, you can set the Group DN pattern to CN=%g,DC=Groups,DC=System,DC=local in case we come back to this in a future discussion.
Now change to the Authentication Tab, here you just need to provide the User DN Pattern field value. Again assuming nothing changed with the root DN we can use the value [CN=%u,CN=Users,DC=System,DC=local](https://)
In the pGina Configuration tool, click the Simulation tab. Enter the name and password of a LogonBox Directory user in the username and password fields. NOTE: This user does not have to have an account on Windows, the account will be created by pGina when you successfully log in.
Click on the green play icon to simulate the logon.
If you have everything configured correctly you should see a result similar to the image. Don't worry if the Local Machine state returned false, that just means there is no account for the user currently on the machine. If you see a successful Authentication, Authorization, and Gateway to LDAP plugin like this image shows, then you should be ready to test a real Login.
You can now close out all the configuration pages, selecting to Save if it prompts. And log out of Windows. First thing you will notice the logon UI has changed.
Enter the credentials of any of your LogonBox Directory users. If you have followed everything above correctly then they will be logged into Windows and you have your first win using LogonBox Directory!