[How To] Squid and LDAP-authentication from Active Directory

| January 17, 2012 | How To | 4 Comments

Today many people need to authenticate users to the proxy using accounts created in Active Directory.

For doing this task squid itself must be compiled with support for basic authentication and external groups in LDAP Keys.

--enable-basic-auth-helpers=LDAP --enable-external-acl-helpers=ldap_group

In this example our Active Directory have 192.168.1.1 IP address and our domain in Active Directory is domain.com.

To start let’s create a group named “net” in Active Directory, users added in this group will have access to the internet. Also let’s create any user and add to group “net”

Example: test_inet with password “123456

To work with the directory, we need a user to read out the passwords.
Example: squidreader with password “pass“.

Now check the availability of the catalog with squidreader user

ldapsearch -D "[email protected]" -x -W -b "dc=domain,dc=com" -h 192.168.1.1

As a result of this command we will get the content of our Active Directory.
Now let’s check the work of the work components squid. Create a file with a password of the account, which we read (squidreader).
Example it will be /usr/local/etc/squid/adpw.txt

echo pass > /usr/local/etc/squid/adpw.txt

Checking the group:

/usr/local/libexec/squid/squid_ldap_group -R -b "dc=domain,dc=com" -f "(&(sAMAccountName=%v)(memberOf=cn=%a,dc=domain,dc=com))" -D [email protected] -W /usr/local/etc/squid/adpw.txt 192.168.1.1

As a query enter a string in the format:
username group
In this case:
test_inet net

The answer is either “OK” or “ERR”. If we have everything working correctly, the answer would be “OK”.

Next check the authentication:

/usr/local/libexec/squid/squid_ldap_auth -R -D [email protected] -W /usr/local/etc/squid/adpw.txt -b "dc=domain,dc=com" -f "sAMAccountName=%s" 192.168.1.1

As a query enter a string in the format:

username password

The answers are the same as in past cases.
Enter the test_inet 123456” and waiting for an answer “OK”.

Configuring the squid

Authenticator:

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -D [email protected] -W /usr/local/etc/squid/adpw.txt -b "dc=domain,dc=com" -f "sAMAccountName=%s" 192.168.1.1

External group:

external_acl_type ldap_users %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b "dc=domain,dc=com" -f "(&(cn=%v)(memberOf=cn=%a,dc=domain,dc=com ))" -D [email protected] -W /usr/local/etc/squid/adpw.txt 192.168.1.1

The parameter %LOGIN is describeing the outer group, before testing for entry into this group, the user must be authenticated.

Description of the ACL:

acl ad_net external ldap_users net

Well, and finally giving access to the internet:

http_access allow ad_net
Tags:, , ,

Related Posts

About The Author

lc-root

4 Comments
  1. Naishal Shah Reply

    Thanks a lot. This worked great for me.

  2. Sandeep Chowdhury Reply

    Tried with AD 2008 and failed any help ?

  3. Ade Reply

    Hi i’m using Debian 6.0.6, when i run the below command:
    /usr/lib/squid3/squid_ldap_group -R -K -b “dc=mayapadahospital,dc=net” -D [email protected] -w “squidpass” -f “(&(sAMAccountName=%v)(memberof=cn=%a,dc=mayapadahospital,dc=net))” -h 10.2.1.29

    no results ERR or OK, just silence, any help me?

  4. hackensolo Reply

    Hi,
    great post !!
    Question: where do you find the %v and %a ? when you checking group ?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.