Solved

Squid on Fedora 10 needs to authenticate using Windows 2003 AD Users

Posted on 2009-07-11
2
880 Views
Last Modified: 2012-05-07
System for Internet = Fedora 10
Proxy Server on Fedora = Squid version 3
Users authentication = Windows 2003 AD

In nutshell, we want a solution to have our Windows 2003 AD users authenticate using their existing user id and password for Internet surfing using Squid Proxy running on Fedora 10.
0
Comment
Question by:rohitccnp
2 Comments
 
LVL 6

Accepted Solution

by:
remeshk earned 500 total points
ID: 24834712
Hi,

Please find the below comments.


Configure squid for LDAP authentication using squid_ldap_auth helper

My last post was about Squid proxy authentication using ncsa_auth helper. This time I will show you how to configure squid for LDAP authentication.

The Lightweight Directory Access Protocol, (LDAP) is a networking protocol for querying and modifying directory services running over TCP/IP.

LDAP server (such as OpenLDAP or others) uses the Lightweight Directory Access Protocol. In order to use Squid LDAP authentication you need to tell which program to use with the auth_param option in squid.conf. You specify the name of the program, plus command line options.

Squid comes with squid_ldap_auth helper. This helper allows Squid to connect to a LDAP directory to validate the user name and password of Basic HTTP authentication. This helper is located at /usr/local/squid/libexec/ or /usr/lib/squid or /usr/lib64/squid/ directory.
Step # 1: Make sure squid can talk to LDAP server

Before configuring makes sure that the squid is working with LDAP auth. Type the following command:
# /usr/lib/squid/squid_ldap_auth -b "dc=nixcraft,dc=com" -f "uid=%s" ldap.nixcraft.com

Once you hit enter key you need to provide UID and password using following format:
USERID blankspace PASSWORD

If it was able to connect to LDAP server you will see "ok".
Step # 2: Configuration

Open your squid.conf file:
# vi /etc/squid/squid.conf

Next you need to add following code which specifies the base DN under where your users are located and the LDAP server name.
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=nixcraft,dc=com" -f "uid=%s" -h ldap.nixcraft.com
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
http_access deny all

Save and close the file. Restart Squid to take effect.
# /etc/init.d/squid restart
Zimbra LDAP With Squid

You need to use it as follows
/usr/lib/squid/squid_ldap_auth -v 3 -b dc=zimbra,dc=example,dc=com -f "(&(uid=%s)(objectClass=zimbraAccount))" -h zimbra.example.com
Squid authentication against Microsoft's Active Directory

I have not used group_ldap_auth helper against Microsoft's Active Directory. But someone (user) pointed out the following solution. Add following configuration directive to squid.conf:

ldap_auth_program /usr/lib/squid/group_ldap_auth -b dc=my-domain,dc=de -h \
server.my-domain.de -p 636 -g distinguishedName -d CN=lookup,OU=Services,\
OU=Users,DC=my-domain,DC=de -w lookup -u cn -m member -o group -S -l \
/var/log/squid/ldaplog

acl ldap_backoffice ldap_auth static 'CN=BackOffice,OU=Groups,dc=my-domain,dc=de'
acl ldap_management ldap_auth static 'CN=Management,OU=Groups,dc=my-domain,dc=de'
acl ldap_it-service ldap_auth static 'CN=IT-Service,OU=Groups,dc=my-domain,dc=de'
acl ldap_development ldap_auth static 'CN=DEVELOPMENT,OU=Groups,dc=my-domain,dc=de'

http_access allow ldap_development
http_access allow ldap_backoffice
http_access allow ldap_management
http_access allow ldap_it-service
http_access deny all
0
 
LVL 2

Author Comment

by:rohitccnp
ID: 24847413
Thanks for ur detailed note. Will this work with Windows 2003 AD.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now