Re: ldap && squid authentication

To: debian-edu@lists.debian.org
Cc: admin-discuss@skolelinux.org
Subject: Re: ldap && squid authentication
From: Gavin McCullagh <lists_gmc@fiachra.ucd.ie>
Date: Wed, 16 Mar 2005 18:36:02 +0000
Message-id: <[🔎] 20050316183602.GL4531@fiachra.ucd.ie>
Mail-followup-to: debian-edu@lists.debian.org, admin-discuss@skolelinux.org
Reply-to: debian-edu@lists.debian.org
In-reply-to: <[🔎] 20050314233807.GA20774@fiachra.ucd.ie>
References: <[🔎] 20050314233807.GA20774@fiachra.ucd.ie>

Hi,

On Mon, 14 Mar 2005, Gavin McCullagh wrote:

> just thought I'd post this to save anyone else the pain.
> 
> After much fighting with the wonderfully non-verbose squid ldap_auth
> program I have managed to get Squid to authenticate users against the
> Skolelinux LDAP database.

Okay, this time I think I do have this working.  And there was me thinking
it was painful last time.  Still, I have learnt much about LDAP and squid
along the way.  I must admit that squid acls still confuse me a little so
if someone sees something wrong please feel free to correct it.

In /etc/squid/squid.conf:

1. Set up general authentication of users via ldap_auth.

======================
#  TAG: auth_param
auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap
auth_param basic children 30
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 1 hours
======================

2. Now that you can authenticate the users, tell it how to check that
   authenticated users are in a chosen group using squid_ldap_group.

======================
#  TAG: external_acl_type
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -ZZ -b "ou=Group,dc=skole,dc=skolelinux,dc=no" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=People,dc=skole,dc=skolelinux,dc=no" -F uid="%s" ldap
======================

3. Create an acl (access control list) requiring first authentication and
   then the group check.  The word "teachers" corresponds to a unix group
   and several can be placed here.

======================
#  TAG: acl
acl password proxy_auth REQUIRED
acl password_group external ldap_group teachers
======================

4. Allow that acl users http access and remove the allow to schoolnet and
   ltspnet

======================
#  TAG: http_access
#http_access allow schoolnet
#http_access allow ltspnet
http_access allow password_group
======================

5. Restart squid.

A good way to debug this process is to run the two external tools on the
command line and make sure they work.  You run the command and type in
parameters on the next line.  If it replies OK you're good, if you get ERR
or nothing at all things are not working. eg

gavinm@tjener > /usr/lib/squid/ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap
gavinm <mypassword>
OK

gavinm@tjener > /usr/lib/squid/squid_ldap_group -ZZ -b "ou=Group,dc=skole,dc=skolelinux,dc=no" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=People,dc=skole,dc=skolelinux,dc=no" -F uid="%s" ldap
gavinm teachers
OK

Hope this helps someone,
Gavin

Reply to:

References:
- ldap && squid authentication
  - From: Gavin McCullagh <lists_gmc@fiachra.ucd.ie>

Prev by Date: Re: problem with creating a machine account (sarge)
Next by Date: Re: problem with creating a machine account (sarge)
Previous by thread: Re: ldap && squid authentication
Next by thread: unsuscribe
Index(es):
- Date
- Thread