Link to home
Start Free TrialLog in
Avatar of Rory Clerkin
Rory ClerkinFlag for Ireland

asked on

LDAP authentication for Squid on CentOS 6.0

Hi,

I'm hoping somebody can help me with this.
We currently have a production squid proxy configured on an old Ubuntu server.

I'm replacing this with an up to date squid release on a CentOS 6.0 server.
I've built a minimal CentOS 6.0 and installed squid from source and also successfully migrated our current squid configuration over to this new box.

Now I want to take this a bit further. I want to authenticate users against the squid server so that I can get some user level reports from the squid logs using SARG or an equivalent.

I want this to be seamless for the end user though so I need to authenticate using LDAP against our Active Directory tree. I don't want the user to be given any prompt when they open a browser.

Has anybody done something similar before?
Do I need to configure LDAP access on the CentOS server or can I simply configure squid to query the LDAP tree for the user details?

If anybody can explain the procedure I'd be greatful.

Kind regards,
Rory
SOLUTION
Avatar of Garry Glendown
Garry Glendown
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Rory Clerkin

ASKER

Assuming you already have an LDAP/ADS working with user information

Could you clarify what you mean above?
I have an AD domain with quite detailed user information included.
I don't have CentOS authenticating against this at the moment.
The squid auth plugin is able to do the LDAP/ADS queries itself without any further changes to the underlying Linux system ... if you can do things like "ldapsearch" against your ADS, the squid auth will work fine ...
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
(sorry, overlooked the "transparent" part - yes, this will only work on IE)
Thanks guys, I'm ok about the IE restriction. I have application downloads blocked with only IE available on the machines and users don't have admin rights.

So, will the squid_ldap_auth method authenticate transparently through IE or only the winbind/ntlm_auth method? The squid_ldap_auth seems much simpler as I wouldn't need to do the kerberos configuration.
Another interesting fact I would like to share, Active directory authentication would not work if SQUID is configured in transparent mode.
Hope this has been taken care of !


Regards,
I'm not using any of the httpd_accel options so I understand this is not transparent mode.
I am directing users to the squid proxy using wpad.dat but I didn't think this would be an issue?
My squid.conf, excluding the acls, icp_access and http_access.
http_port               3128

access_log              /var/log/squid/access.log
cache_log               /var/log/squid/debug.log

cache_dir               ufs     /usr/local/squid/var/cache      1000    64      256

coredump_dir            /usr/local/squid/var/cache

cache_mgr               support@mydom.com

ftp_user                user@mydom.com

cache_effective_user    squid
cache_effective_group   squid

hierarchy_stoplist cgi-bin ?


hosts_file      /etc/hosts


refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Package(.gz)*)$        0       20%     2880
refresh_pattern .               0       20%     4320

Open in new window

In case you are using wpad.dat, it would work without any problems.

Regards,
I would like to share that though LDAP_AUTH setup may sound easy, it is SQUID Basic authentication which in my understanding would cause user to prompt for UserName and Password.

Only NTLM Authentication will prevent the username/password from popping up.

Also it is interesting to note that Firefox supports Integrated NTLM authentication .. Read to learn more... https://developer.mozilla.org/en/Integrated_Authentication


Hope this helps!

Regards,
Thanks for the extra info.

I'm going to try configure this today and tomorrow before closing this question.
Well, I finally got squid authenticating the users. I had a problem with the smb.conf file which took a while to solve when I was finally able to put the time to it.

The "net join ads" command wouldn't work for me. It was repeatedly giving me errors

I eventually used authconfig to get it working. I built up a command with all the options I wanted and put it into a shell script

#!/bin/bash

authconfig --enableldap --enableldapauth --ldapserver=mydc.mydomain.local --ldapbasedn=DC=efc,DC=local --enablekrb5 --enablekrb5kdcdns --krb5realm=MYDOMAIN.LOCAL --k
rb5adminserver=mydc.mydomain.local --enablewinbind --enablewinbindauth --smbsecurity=ads --enablesmbauth --smbworkgroup=MYDOMAIN --smbrealm=MYDOMAIN.LOCAL --smbidmapuid=1
0000-20000 --smbidmapgid=10000-20000 --enablepreferdns --disablecache --enablelocauthorize --updateall

Open in new window


Once I'd gotten the configuration right and joined to the domain the configuration for squid authentication worked right away.

Thanks for the help.