[How To] Squid and LDAP-authentication from Active Directory

[How To] Squid and LDAP-authentication from Active Directory

Posted by on Jan 17, 2012 in Manuals, HOWTOs, Security | 2 comments


Today many people need to authenticate users to the proxy using accounts created in Active Directory.

Apply here payday loans

For doing this task squid itself must be compiled with support for basic authentication and external groups in LDAP Keys.

--enable-basic-auth-helpers=LDAP --enable-external-acl-helpers=ldap_group

In this example our Active Directory have 192.168.1.1 IP address and our domain in Active Directory is domain.com.

To start let’s create a group named “net” in Active Directory, users added in this group will have access to the internet. Also let’s create any user and add to group “net”

Example: test_inet with password “123456

To work with the directory, we need a user to read out the passwords.
Example: squidreader with password “pass“.

Now check the availability of the catalog with squidreader user

ldapsearch -D "squidreader@domain.com" -x -W -b "dc=domain,dc=com" -h 192.168.1.1

As a result of this command we will get the content of our Active Directory.
Now let’s check the work of the work components squid. Create a file with a password of the account, which we read (squidreader).
Example it will be /usr/local/etc/squid/adpw.txt

echo pass > /usr/local/etc/squid/adpw.txt

Checking the group:

/usr/local/libexec/squid/squid_ldap_group -R -b "dc=domain,dc=com" -f "(&(sAMAccountName=%v)(memberOf=cn=%a,dc=domain,dc=com))" -D squidreader@domain.com -W /usr/local/etc/squid/adpw.txt 192.168.1.1

As a query enter a string in the format:
username group
In this case:
test_inet net

The answer is either “OK” or “ERR”. If we have everything working correctly, the answer would be “OK”.

Next check the authentication:

/usr/local/libexec/squid/squid_ldap_auth -R -D squidreader@domain.com -W /usr/local/etc/squid/adpw.txt -b "dc=domain,dc=com" -f "sAMAccountName=%s" 192.168.1.1

As a query enter a string in the format:

username password

The answers are the same as in past cases.
Enter the test_inet 123456” and waiting for an answer “OK”.

Configuring the squid

Authenticator:

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -D squidreader@domain.com -W /usr/local/etc/squid/adpw.txt -b "dc=domain,dc=com" -f "sAMAccountName=%s" 192.168.1.1

External group:

external_acl_type ldap_users %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b "dc=domain,dc=com" -f "(&(cn=%v)(memberOf=cn=%a,dc=domain,dc=com ))" -D squidreader@domain.com -W /usr/local/etc/squid/adpw.txt 192.168.1.1

The parameter %LOGIN is describeing the outer group, before testing for entry into this group, the user must be authenticated.

Description of the ACL:

acl ad_net external ldap_users net

Well, and finally giving access to the internet:

http_access allow ad_net

[Related posts]

[Manual] Creating Transparent Proxy With squid and IPTables
For creating transparent proxy we need edit squid.conf and add iptables rules. Edit /etc/squid.conf file with your favorite editor, example vi vi /etc/squid.conf Add or...
Internet gateway on FreeBSD
Building a gateway to the global network on FreeBSD – this is one of the most frequent cases using this system. The main pluses of...
File Server With Samba and FTP in FreeBSD
This manual describes how to create file server, where users from can access their files with samba client and FTP server, (from windows too). In...
Apache Authentication
Creating Password Create htpasswd file for current (pwd) path htpasswd -mc .htpasswd yourusername Insert new password Create .htaccess file for current path touch .htaccess mcedit...

2 Responsesto “[How To] Squid and LDAP-authentication from Active Directory”

  1. Naishal Shah says:
    October 12, 2012 at 12:58 pm

    Thanks a lot. This worked great for me.

    Reply
  2. Sandeep Chowdhury says:
    April 6, 2013 at 3:36 pm

    Tried with AD 2008 and failed any help ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>