Squid on Fedora 10 needs to authenticate using Windows 2003 AD Users

System for Internet = Fedora 10
Proxy Server on Fedora = Squid version 3
Users authentication = Windows 2003 AD

In nutshell, we want a solution to have our Windows 2003 AD users authenticate using their existing user id and password for Internet surfing using Squid Proxy running on Fedora 10.
Who is Participating?
remeshkConnect With a Mentor Commented:

Please find the below comments.

Configure squid for LDAP authentication using squid_ldap_auth helper

My last post was about Squid proxy authentication using ncsa_auth helper. This time I will show you how to configure squid for LDAP authentication.

The Lightweight Directory Access Protocol, (LDAP) is a networking protocol for querying and modifying directory services running over TCP/IP.

LDAP server (such as OpenLDAP or others) uses the Lightweight Directory Access Protocol. In order to use Squid LDAP authentication you need to tell which program to use with the auth_param option in squid.conf. You specify the name of the program, plus command line options.

Squid comes with squid_ldap_auth helper. This helper allows Squid to connect to a LDAP directory to validate the user name and password of Basic HTTP authentication. This helper is located at /usr/local/squid/libexec/ or /usr/lib/squid or /usr/lib64/squid/ directory.
Step # 1: Make sure squid can talk to LDAP server

Before configuring makes sure that the squid is working with LDAP auth. Type the following command:
# /usr/lib/squid/squid_ldap_auth -b "dc=nixcraft,dc=com" -f "uid=%s" ldap.nixcraft.com

Once you hit enter key you need to provide UID and password using following format:

If it was able to connect to LDAP server you will see "ok".
Step # 2: Configuration

Open your squid.conf file:
# vi /etc/squid/squid.conf

Next you need to add following code which specifies the base DN under where your users are located and the LDAP server name.
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=nixcraft,dc=com" -f "uid=%s" -h ldap.nixcraft.com
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
http_access deny all

Save and close the file. Restart Squid to take effect.
# /etc/init.d/squid restart
Zimbra LDAP With Squid

You need to use it as follows
/usr/lib/squid/squid_ldap_auth -v 3 -b dc=zimbra,dc=example,dc=com -f "(&(uid=%s)(objectClass=zimbraAccount))" -h zimbra.example.com
Squid authentication against Microsoft's Active Directory

I have not used group_ldap_auth helper against Microsoft's Active Directory. But someone (user) pointed out the following solution. Add following configuration directive to squid.conf:

ldap_auth_program /usr/lib/squid/group_ldap_auth -b dc=my-domain,dc=de -h \
server.my-domain.de -p 636 -g distinguishedName -d CN=lookup,OU=Services,\
OU=Users,DC=my-domain,DC=de -w lookup -u cn -m member -o group -S -l \

acl ldap_backoffice ldap_auth static 'CN=BackOffice,OU=Groups,dc=my-domain,dc=de'
acl ldap_management ldap_auth static 'CN=Management,OU=Groups,dc=my-domain,dc=de'
acl ldap_it-service ldap_auth static 'CN=IT-Service,OU=Groups,dc=my-domain,dc=de'
acl ldap_development ldap_auth static 'CN=DEVELOPMENT,OU=Groups,dc=my-domain,dc=de'

http_access allow ldap_development
http_access allow ldap_backoffice
http_access allow ldap_management
http_access allow ldap_it-service
http_access deny all
rohitccnpAuthor Commented:
Thanks for ur detailed note. Will this work with Windows 2003 AD.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.