ldap && squid authentication

To: debian-edu@lists.debian.org, admin-discuss@skolelinux.org
Subject: ldap && squid authentication
From: Gavin McCullagh <lists_gmc@fiachra.ucd.ie>
Date: Mon, 14 Mar 2005 23:38:07 +0000
Message-id: <[🔎] 20050314233807.GA20774@fiachra.ucd.ie>
Mail-followup-to: debian-edu@lists.debian.org, admin-discuss@skolelinux.org
Reply-to: debian-edu@lists.debian.org

Hi,

just thought I'd post this to save anyone else the pain.

After much fighting with the wonderfully non-verbose squid ldap_auth
program I have managed to get Squid to authenticate users against the
Skolelinux LDAP database.

My purpose in this is that we will run squid on the gateway machine in
order to control web access[1].  We will then close net access and point
all browsers at http://10.0.2.1:3128 and those who are registered in the
teachers group will get full web access via their usual skolelinux
password.

I will try and write this up in more detail shortly, possibly with webmin
oriented instructions but for now what's needed is to make the following
changes to /etc/squid/squid.conf.  Some context is given so you can see
where to place the new lines.

=======================
#  TAG: auth_param 
auth_param basic program /usr/lib/squid/ldap_auth -Z -D cn=teachers -b ou=People,dc=skole,dc=skolelinux,dc=no  ldap
auth_param basic realm Squid proxy-caching web server
auth_param basic children 30
auth_param basic credentialsttl 2 hours
=======================

=======================
#  TAG: external_acl_type
acl SquidLdapUsers proxy_auth REQUIRED
=======================

=======================
acl SquidLdapUsers proxy_auth REQUIRED
acl CONNECT method CONNECT

#  TAG: http_access
=======================

=======================
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#http_access allow schoolnet
#http_access allow ltspnet
http_access allow SquidLdapUsers
=======================

The painful bit which took me a while to figure out was the "-Z" in the
ldap_auth line.  This is tells ldap_auth it to TLS encrypt the LDAP
connection.  If you don't do this you just get ERR or no response from
ldap_auth which is tremendously helpful.  

The above of course is for squid on tjener to contact ldap on tjener.  The
ldap on the program line could be changed to say 10.0.2.2 or tjener.intern
for the firewall to see it.  I'm not an expert on this type of encryption
but do I presume it is secure enough for this use?

Thanks to Finn-Arne for his help with this (two months ago!).  I understand
someone is working on this for general use in Skolelinux?

Gavin

[1] usual justification applies. I don't really like controlling internet
    access but I'd rather give it in a controlled way than not at all which
    is the alternative.

Reply to:

Follow-Ups:
- Re: ldap && squid authentication
  - From: Maximilian Wilhelm <max@rfc2324.org>
- Re: ldap && squid authentication
  - From: Gavin McCullagh <lists_gmc@fiachra.ucd.ie>

Prev by Date: Re: Why CMS instead of integration with Debian web?
Next by Date: Re: What's wrong with Plone?
Previous by thread: Processed: Reassign to localization-config
Next by thread: Re: ldap && squid authentication
Index(es):
- Date
- Thread