[How To] Squid and LDAP-authentication from Active Directory

[How To] Squid and LDAP-authentication from Active Directory



Today many people need to authenticate users to the proxy using accounts created in Active Directory.

For doing this task squid itself must be compiled with support for basic authentication and external groups in LDAP Keys.

--enable-basic-auth-helpers=LDAP --enable-external-acl-helpers=ldap_group

In this example our Active Directory have 192.168.1.1 IP address and our domain in Active Directory is domain.com.

To start let’s create a group named “net” in Active Directory, users added in this group will have access to the internet. Also let’s create any user and add to group “net”

Example: test_inet with password “123456

To work with the directory, we need a user to read out the passwords.
Example: squidreader with password “pass“.

Now check the availability of the catalog with squidreader user

ldapsearch -D "squidreader@domain.com" -x -W -b "dc=domain,dc=com" -h 192.168.1.1

As a result of this command we will get the content of our Active Directory.
Now let’s check the work of the work components squid. Create a file with a password of the account, which we read (squidreader).
Example it will be /usr/local/etc/squid/adpw.txt

echo pass > /usr/local/etc/squid/adpw.txt

Checking the group:

/usr/local/libexec/squid/squid_ldap_group -R -b "dc=domain,dc=com" -f "(&(sAMAccountName=%v)(memberOf=cn=%a,dc=domain,dc=com))" -D squidreader@domain.com -W /usr/local/etc/squid/adpw.txt 192.168.1.1

As a query enter a string in the format:
username group
In this case:
test_inet net

The answer is either “OK” or “ERR”. If we have everything working correctly, the answer would be “OK”.

Next check the authentication:

/usr/local/libexec/squid/squid_ldap_auth -R -D squidreader@domain.com -W /usr/local/etc/squid/adpw.txt -b "dc=domain,dc=com" -f "sAMAccountName=%s" 192.168.1.1

As a query enter a string in the format:

username password

The answers are the same as in past cases.
Enter the test_inet 123456” and waiting for an answer “OK”.

Configuring the squid

Authenticator:

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -D squidreader@domain.com -W /usr/local/etc/squid/adpw.txt -b "dc=domain,dc=com" -f "sAMAccountName=%s" 192.168.1.1

External group:

external_acl_type ldap_users %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b "dc=domain,dc=com" -f "(&(cn=%v)(memberOf=cn=%a,dc=domain,dc=com ))" -D squidreader@domain.com -W /usr/local/etc/squid/adpw.txt 192.168.1.1

The parameter %LOGIN is describeing the outer group, before testing for entry into this group, the user must be authenticated.

Description of the ACL:

acl ad_net external ldap_users net

Well, and finally giving access to the internet:

http_access allow ad_net

3 Responsesto “[How To] Squid and LDAP-authentication from Active Directory”

  1. Naishal Shah says:

    Thanks a lot. This worked great for me.

  2. Sandeep Chowdhury says:

    Tried with AD 2008 and failed any help ?

  3. Ade says:

    Hi i’m using Debian 6.0.6, when i run the below command:
    /usr/lib/squid3/squid_ldap_group -R -K -b “dc=mayapadahospital,dc=net” -D squid@mayapadahospital.net -w “squidpass” -f “(&(sAMAccountName=%v)(memberof=cn=%a,dc=mayapadahospital,dc=net))” -h 10.2.1.29

    no results ERR or OK, just silence, any help me?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>