Re: squid authentication / skolelinux ldap docs
Gavin McCullagh wrote:
Hi,
I'm not sure if others are already doing this but I need to set up squid to
only allow authenticated users. I haven't come across a document detailing
this for Skolelinux so I will write it when I'm done. I am at a slight
disadvantage in that I'm planning it without a Skolelinux server nearby to
check things on.
As far as I can see, this really has to be done on a machine to which
ordinary users don't have logins. We currently use a combined main and
thin client server and for squid to work on it that machine must have
web/ftp access. However, if it has that access, people logged in can just
use the access directly without the proxy. So I have a separate machine
set up but I'd like squid to use tjener for passwords. In particular, I'd
like to authenticate users as members of groups (eg Teachers).
No - you can use iptables to check for user accessing the web - but you
need newer iptables than the one in woody. I have used the one from
backports.org with success. I have been able to set that only squid is
allowed to access the web, and everyone else would access squid.
Depending on what I consult, the answer varies a little but I think I'll be
able to pull the bits I need together:
- Debian doc /usr/share/doc/squid/README.auth_module.ldap_auth.gz
- Squid WIKI <http://workaround.org/squid/wiki/LdapAuthentication>
- LDAP tutorial <http://quark.humbug.org.au/publications/ldap/ldap_tut.html>
Can someone point me to a doc detailing the Skolelinux LDAP naming/layout?
I'm not too experienced with LDAP and need to construct the correct
searchbase. I also can't see the Skolelinux LDAP config files right now so
it's hard to tell. My guess is that I need something like this:
authenticate_program /usr/lib/squid/squid_ldap_auth -b ou=Teachers,dc=tjener,dc=intern tjener.intern
Unless you have changed your ldap db, you only have
ou=People,dc=skole,dc=skolelinx,dc=no
But I think you also have a group
cn=teachers,ou=Group,dc=skole,dc=skolelinux,dc=no
and
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
What is the correct dc, etc?
See above
ldapsearch -LLL -h ldap -x -b ou=group,dc=skole,dc=skolelinux,dc=no \
"cn=admins" memberUid
gives me a list of admins
--
Finn-Arne Johansen, faj@bzz.no
http://bzz,no
tlf: 37254514 / 92640070
Reply to: