• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1827
  • Last Modified:

LDAP authentication for Squid on CentOS 6.0

Hi,

I'm hoping somebody can help me with this.
We currently have a production squid proxy configured on an old Ubuntu server.

I'm replacing this with an up to date squid release on a CentOS 6.0 server.
I've built a minimal CentOS 6.0 and installed squid from source and also successfully migrated our current squid configuration over to this new box.

Now I want to take this a bit further. I want to authenticate users against the squid server so that I can get some user level reports from the squid logs using SARG or an equivalent.

I want this to be seamless for the end user though so I need to authenticate using LDAP against our Active Directory tree. I don't want the user to be given any prompt when they open a browser.

Has anybody done something similar before?
Do I need to configure LDAP access on the CentOS server or can I simply configure squid to query the LDAP tree for the user details?

If anybody can explain the procedure I'd be greatful.

Kind regards,
Rory
0
Red-King
Asked:
Red-King
  • 6
  • 4
  • 3
2 Solutions
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Assuming you already have an LDAP/ADS working with user information, all you need is add the authentication via the "squid_ldap_auth" program which comes with the squid packages. In the config, add something like this:

auth_param basic program /var/squid/libexec/squid_ldap_auth -R -b "ou=users,dc=mydomain,dc=com" -f "sAMAccountName=%s" -D LDAPLOGINNAME -W /etc/ads.pw -h 192.168.4.21

Open in new window

Define an acl to enforce login:
acl ldapauth proxy_auth REQUIRED

Open in new window

and use this for certain things you want the login required:
http_access allow somedest ldapauth

Open in new window


0
 
Red-KingAuthor Commented:
Assuming you already have an LDAP/ADS working with user information

Could you clarify what you mean above?
I have an AD domain with quite detailed user information included.
I don't have CentOS authenticating against this at the moment.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
The squid auth plugin is able to do the LDAP/ADS queries itself without any further changes to the underlying Linux system ... if you can do things like "ldapsearch" against your ADS, the squid auth will work fine ...
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
pritamduttCommented:
Hi,

What you are requesting will work for NTLM capable browser such as IE, but will not work for others.
Also, note that you will need to use ntlm_auth helper to achieve transparent internet access for Domain Users

Detailed steps on configuring SQUID with Windows Active Directory Directory Authentication with example are provided at the link provided below.

http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory


Hope this helps!

Regards,
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
(sorry, overlooked the "transparent" part - yes, this will only work on IE)
0
 
Red-KingAuthor Commented:
Thanks guys, I'm ok about the IE restriction. I have application downloads blocked with only IE available on the machines and users don't have admin rights.

So, will the squid_ldap_auth method authenticate transparently through IE or only the winbind/ntlm_auth method? The squid_ldap_auth seems much simpler as I wouldn't need to do the kerberos configuration.
0
 
pritamduttCommented:
Another interesting fact I would like to share, Active directory authentication would not work if SQUID is configured in transparent mode.
Hope this has been taken care of !


Regards,
0
 
Red-KingAuthor Commented:
I'm not using any of the httpd_accel options so I understand this is not transparent mode.
I am directing users to the squid proxy using wpad.dat but I didn't think this would be an issue?
0
 
Red-KingAuthor Commented:
My squid.conf, excluding the acls, icp_access and http_access.
http_port               3128

access_log              /var/log/squid/access.log
cache_log               /var/log/squid/debug.log

cache_dir               ufs     /usr/local/squid/var/cache      1000    64      256

coredump_dir            /usr/local/squid/var/cache

cache_mgr               support@mydom.com

ftp_user                user@mydom.com

cache_effective_user    squid
cache_effective_group   squid

hierarchy_stoplist cgi-bin ?


hosts_file      /etc/hosts


refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Package(.gz)*)$        0       20%     2880
refresh_pattern .               0       20%     4320

Open in new window

0
 
pritamduttCommented:
In case you are using wpad.dat, it would work without any problems.

Regards,
0
 
pritamduttCommented:
I would like to share that though LDAP_AUTH setup may sound easy, it is SQUID Basic authentication which in my understanding would cause user to prompt for UserName and Password.

Only NTLM Authentication will prevent the username/password from popping up.

Also it is interesting to note that Firefox supports Integrated NTLM authentication .. Read to learn more... https://developer.mozilla.org/en/Integrated_Authentication


Hope this helps!

Regards,
0
 
Red-KingAuthor Commented:
Thanks for the extra info.

I'm going to try configure this today and tomorrow before closing this question.
0
 
Red-KingAuthor Commented:
Well, I finally got squid authenticating the users. I had a problem with the smb.conf file which took a while to solve when I was finally able to put the time to it.

The "net join ads" command wouldn't work for me. It was repeatedly giving me errors

I eventually used authconfig to get it working. I built up a command with all the options I wanted and put it into a shell script

#!/bin/bash

authconfig --enableldap --enableldapauth --ldapserver=mydc.mydomain.local --ldapbasedn=DC=efc,DC=local --enablekrb5 --enablekrb5kdcdns --krb5realm=MYDOMAIN.LOCAL --k
rb5adminserver=mydc.mydomain.local --enablewinbind --enablewinbindauth --smbsecurity=ads --enablesmbauth --smbworkgroup=MYDOMAIN --smbrealm=MYDOMAIN.LOCAL --smbidmapuid=1
0000-20000 --smbidmapgid=10000-20000 --enablepreferdns --disablecache --enablelocauthorize --updateall

Open in new window


Once I'd gotten the configuration right and joined to the domain the configuration for squid authentication worked right away.

Thanks for the help.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now