Re: squid authentication / skolelinux ldap docs

To: debian-edu@lists.debian.org
Subject: Re: squid authentication / skolelinux ldap docs
From: Finn-Arne Johansen <faj@bzz.no>
Date: Fri, 21 Jan 2005 12:06:55 +0100
Message-id: <[🔎] 41F0E24F.5000309@bzz.no>
In-reply-to: <[🔎] 20050121103701.GB28781@fiachra.ucd.ie>
References: <[🔎] 20050121103701.GB28781@fiachra.ucd.ie>

Gavin McCullagh wrote:

Hi,

I'm not sure if others are already doing this but I need to set up squid to
only allow authenticated users.  I haven't come across a document detailing
this for Skolelinux so I will write it when I'm done.  I am at a slight
disadvantage in that I'm planning it without a Skolelinux server nearby to
check things on.

As far as I can see, this really has to be done on a machine to which
ordinary users don't have logins.  We currently use a combined main and
thin client server and for squid to work on it that machine must have
web/ftp access.  However, if it has that access, people logged in can just
use the access directly without the proxy.  So I have a separate machine
set up but I'd like squid to use tjener for passwords.  In particular, I'd
like to authenticate users as members of groups (eg Teachers).

No - you can use iptables to check for user accessing the web - but youneed newer iptables than the one in woody. I have used the one frombackports.org with success. I have been able to set that only squid isallowed to access the web, and everyone else would access squid.

Depending on what I consult, the answer varies a little but I think I'll be
able to pull the bits I need together:

 - Debian doc /usr/share/doc/squid/README.auth_module.ldap_auth.gz
 - Squid WIKI <http://workaround.org/squid/wiki/LdapAuthentication>
 - LDAP tutorial <http://quark.humbug.org.au/publications/ldap/ldap_tut.html>

Can someone point me to a doc detailing the Skolelinux LDAP naming/layout?
I'm not too experienced with LDAP and need to construct the correct
searchbase.  I also can't see the Skolelinux LDAP config files right now so
it's hard to tell.  My guess is that I need something like this:

authenticate_program /usr/lib/squid/squid_ldap_auth -b ou=Teachers,dc=tjener,dc=intern tjener.intern


Unless you have changed your ldap db, you only have
 ou=People,dc=skole,dc=skolelinx,dc=no

But I think you also have a group
 cn=teachers,ou=Group,dc=skole,dc=skolelinux,dc=no

and
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
What is the correct dc, etc?


See above

ldapsearch -LLL -h ldap -x -b ou=group,dc=skole,dc=skolelinux,dc=no \
           "cn=admins" memberUid

gives me a list of admins

--
Finn-Arne Johansen, faj@bzz.no
http://bzz,no
tlf: 37254514 / 92640070

Reply to:

Follow-Ups:
- Re: squid authentication / skolelinux ldap docs
  - From: Gavin McCullagh <gavin@fiachra.ucd.ie>

References:
- squid authentication / skolelinux ldap docs
  - From: Gavin McCullagh <lists_gmc@fiachra.ucd.ie>

Prev by Date: squid authentication / skolelinux ldap docs
Next by Date: Re: squid authentication / skolelinux ldap docs
Previous by thread: squid authentication / skolelinux ldap docs
Next by thread: Re: squid authentication / skolelinux ldap docs
Index(es):
- Date
- Thread