[How To] Squid and LDAP-authentication from Active Directory
|Today many people need to authenticate users to the proxy using accounts created in Active Directory.
For doing this task squid itself must be compiled with support for basic authentication and external groups in LDAP Keys.
--enable-basic-auth-helpers=LDAP --enable-external-acl-helpers=ldap_group
In this example our Active Directory have 192.168.1.1 IP address and our domain in Active Directory is domain.com.
To start let’s create a group named “net” in Active Directory, users added in this group will have access to the internet. Also let’s create any user and add to group “net”
Example: test_inet with password “123456”
To work with the directory, we need a user to read out the passwords.
Example: squidreader with password “pass“.
Now check the availability of the catalog with squidreader user
ldapsearch -D "[email protected]" -x -W -b "dc=domain,dc=com" -h 192.168.1.1
As a result of this command we will get the content of our Active Directory.
Now let’s check the work of the work components squid. Create a file with a password of the account, which we read (squidreader).
Example it will be /usr/local/etc/squid/adpw.txt
echo pass > /usr/local/etc/squid/adpw.txt
Checking the group:
/usr/local/libexec/squid/squid_ldap_group -R -b "dc=domain,dc=com" -f "(&(sAMAccountName=%v)(memberOf=cn=%a,dc=domain,dc=com))" -D [email protected] -W /usr/local/etc/squid/adpw.txt 192.168.1.1
As a query enter a string in the format:
username group
In this case:
test_inet net
The answer is either “OK” or “ERR”. If we have everything working correctly, the answer would be “OK”.
Next check the authentication:
/usr/local/libexec/squid/squid_ldap_auth -R -D [email protected] -W /usr/local/etc/squid/adpw.txt -b "dc=domain,dc=com" -f "sAMAccountName=%s" 192.168.1.1
As a query enter a string in the format:
username password
The answers are the same as in past cases.
Enter the test_inet 123456” and waiting for an answer “OK”.
Configuring the squid
Authenticator:
auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -D [email protected] -W /usr/local/etc/squid/adpw.txt -b "dc=domain,dc=com" -f "sAMAccountName=%s" 192.168.1.1
External group:
external_acl_type ldap_users %LOGIN /usr/local/libexec/squid/squid_ldap_group -R -b "dc=domain,dc=com" -f "(&(cn=%v)(memberOf=cn=%a,dc=domain,dc=com ))" -D [email protected] -W /usr/local/etc/squid/adpw.txt 192.168.1.1
The parameter %LOGIN is describeing the outer group, before testing for entry into this group, the user must be authenticated.
Description of the ACL:
acl ad_net external ldap_users net
Well, and finally giving access to the internet:
http_access allow ad_net
Thanks a lot. This worked great for me.
Tried with AD 2008 and failed any help ?
Hi i’m using Debian 6.0.6, when i run the below command:
/usr/lib/squid3/squid_ldap_group -R -K -b “dc=mayapadahospital,dc=net” -D [email protected] -w “squidpass” -f “(&(sAMAccountName=%v)(memberof=cn=%a,dc=mayapadahospital,dc=net))” -h 10.2.1.29
no results ERR or OK, just silence, any help me?
Hi,
great post !!
Question: where do you find the %v and %a ? when you checking group ?