Solved

Squid on Fedora 10 needs to authenticate using Windows 2003 AD Users

Posted on 2009-07-11
2
910 Views
Last Modified: 2012-05-07
System for Internet = Fedora 10
Proxy Server on Fedora = Squid version 3
Users authentication = Windows 2003 AD

In nutshell, we want a solution to have our Windows 2003 AD users authenticate using their existing user id and password for Internet surfing using Squid Proxy running on Fedora 10.
0
Comment
Question by:rohitccnp
2 Comments
 
LVL 6

Accepted Solution

by:
remeshk earned 500 total points
ID: 24834712
Hi,

Please find the below comments.


Configure squid for LDAP authentication using squid_ldap_auth helper

My last post was about Squid proxy authentication using ncsa_auth helper. This time I will show you how to configure squid for LDAP authentication.

The Lightweight Directory Access Protocol, (LDAP) is a networking protocol for querying and modifying directory services running over TCP/IP.

LDAP server (such as OpenLDAP or others) uses the Lightweight Directory Access Protocol. In order to use Squid LDAP authentication you need to tell which program to use with the auth_param option in squid.conf. You specify the name of the program, plus command line options.

Squid comes with squid_ldap_auth helper. This helper allows Squid to connect to a LDAP directory to validate the user name and password of Basic HTTP authentication. This helper is located at /usr/local/squid/libexec/ or /usr/lib/squid or /usr/lib64/squid/ directory.
Step # 1: Make sure squid can talk to LDAP server

Before configuring makes sure that the squid is working with LDAP auth. Type the following command:
# /usr/lib/squid/squid_ldap_auth -b "dc=nixcraft,dc=com" -f "uid=%s" ldap.nixcraft.com

Once you hit enter key you need to provide UID and password using following format:
USERID blankspace PASSWORD

If it was able to connect to LDAP server you will see "ok".
Step # 2: Configuration

Open your squid.conf file:
# vi /etc/squid/squid.conf

Next you need to add following code which specifies the base DN under where your users are located and the LDAP server name.
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=nixcraft,dc=com" -f "uid=%s" -h ldap.nixcraft.com
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
http_access deny all

Save and close the file. Restart Squid to take effect.
# /etc/init.d/squid restart
Zimbra LDAP With Squid

You need to use it as follows
/usr/lib/squid/squid_ldap_auth -v 3 -b dc=zimbra,dc=example,dc=com -f "(&(uid=%s)(objectClass=zimbraAccount))" -h zimbra.example.com
Squid authentication against Microsoft's Active Directory

I have not used group_ldap_auth helper against Microsoft's Active Directory. But someone (user) pointed out the following solution. Add following configuration directive to squid.conf:

ldap_auth_program /usr/lib/squid/group_ldap_auth -b dc=my-domain,dc=de -h \
server.my-domain.de -p 636 -g distinguishedName -d CN=lookup,OU=Services,\
OU=Users,DC=my-domain,DC=de -w lookup -u cn -m member -o group -S -l \
/var/log/squid/ldaplog

acl ldap_backoffice ldap_auth static 'CN=BackOffice,OU=Groups,dc=my-domain,dc=de'
acl ldap_management ldap_auth static 'CN=Management,OU=Groups,dc=my-domain,dc=de'
acl ldap_it-service ldap_auth static 'CN=IT-Service,OU=Groups,dc=my-domain,dc=de'
acl ldap_development ldap_auth static 'CN=DEVELOPMENT,OU=Groups,dc=my-domain,dc=de'

http_access allow ldap_development
http_access allow ldap_backoffice
http_access allow ldap_management
http_access allow ldap_it-service
http_access deny all
0
 
LVL 2

Author Comment

by:rohitccnp
ID: 24847413
Thanks for ur detailed note. Will this work with Windows 2003 AD.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question