[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ldap && squid authentication


On Mon, 14 Mar 2005, Gavin McCullagh wrote:

> just thought I'd post this to save anyone else the pain.
> After much fighting with the wonderfully non-verbose squid ldap_auth
> program I have managed to get Squid to authenticate users against the
> Skolelinux LDAP database.

Okay, this time I think I do have this working.  And there was me thinking
it was painful last time.  Still, I have learnt much about LDAP and squid
along the way.  I must admit that squid acls still confuse me a little so
if someone sees something wrong please feel free to correct it.

In /etc/squid/squid.conf:

1. Set up general authentication of users via ldap_auth.

#  TAG: auth_param
auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap
auth_param basic children 30
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 1 hours

2. Now that you can authenticate the users, tell it how to check that
   authenticated users are in a chosen group using squid_ldap_group.

#  TAG: external_acl_type
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -ZZ -b "ou=Group,dc=skole,dc=skolelinux,dc=no" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=People,dc=skole,dc=skolelinux,dc=no" -F uid="%s" ldap

3. Create an acl (access control list) requiring first authentication and
   then the group check.  The word "teachers" corresponds to a unix group
   and several can be placed here.

#  TAG: acl
acl password proxy_auth REQUIRED
acl password_group external ldap_group teachers

4. Allow that acl users http access and remove the allow to schoolnet and

#  TAG: http_access
#http_access allow schoolnet
#http_access allow ltspnet
http_access allow password_group

5. Restart squid.

A good way to debug this process is to run the two external tools on the
command line and make sure they work.  You run the command and type in
parameters on the next line.  If it replies OK you're good, if you get ERR
or nothing at all things are not working. eg

gavinm@tjener > /usr/lib/squid/ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap
gavinm <mypassword>

gavinm@tjener > /usr/lib/squid/squid_ldap_group -ZZ -b "ou=Group,dc=skole,dc=skolelinux,dc=no" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=People,dc=skole,dc=skolelinux,dc=no" -F uid="%s" ldap
gavinm teachers

Hope this helps someone,

Reply to: