Re: [squid-users] squid-auth-ldap

Hi Christian,

Using OpenLDAP to authenticate and/or authorize access
for users to web resources using Squid is easy but should
be done the right way. First of all, there are many ways
the project/design for that can be done.

1. You want just to authenticate the users agains LDAP and
   let them surf the web if authenticated.

   You must tell squid:
   -how to connect and get info from LDAP
   -that the users are required to authenticate themselves
   -that, if authenticated, the user is allowed access
    to the Net.

2. You want the users authenticated against LDAP and
   control the access via LDAP groups of users.

   You must tell squid:
   -how to connect and get info from LDAP
   -that the users are required to authenticate themselves
   -that, after authentication, squid should do another
    lookup into LDAP and see if the users is member of
    a group that is authorized to access the web.
   -that the user, ok for authentication and for
    authorization, is allowed access to the Web.

These, I believe, are the most common approaches. They
can help you understand the mechanics below surface and
guide you to try your own config.

#-------------------------------------------
## STEP 1: How to connect and get info from LDAP

These thing must be in that order to function correctly.
An example of the directives could be:

auth_param basic program /usr/lib/squid/squid_ldap_auth -h 192.168.1.1 -b
"ou=Users,o=DASA" -f "(&(objectClass=Person)(uid=%s))"
auth_param basic children 30
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Search the squid.conf default file for a better understanding
of the meaning of each line, and the parameters. The first
line has a filter, and that filter is your to find the right
one. You go perfecting the filter, using ldapsearch, until
the response is good enough for you. It should be good to
put the lines for auth_param just below the commented lines
about auth_param in the squid.conf file.

In the example above, your user object must be created in
the LDAP container called "ou=Users,o=DASA" and must have
a property type objectClass with value "Person". I mean,
you must understand LDAP in order to user this kind of
authentication/authorization, so go after and read, and
try what you can in order to understand and get hold on
LDAP basics.

#-------------------------------------------
## STEP 2: The users are required to authenticate

acl USERS proxy_auth REQUIRED

You may put the line above just before the line
"acl CONNECT method CONNECT" in the squid.conf file.

#-------------------------------------------
## STEP 3: The user is a member of the group that
           is authorized to access the web?

This step should only be good if you want to control
access using LDAP groups. Otherwise, skip it.

external_acl_type WEBALLOWED concurrency=15 %LOGIN
/usr/lib/squid/squid_ldap_group -h 192.168.1.1 -b ou=Groups,o=DASA -f
(&(cn=WebAllowed)(memberUid=%u))

(all above in the same line)

Also, you must create the "WebAllowed" group (or any
other name you see fit) in LDAP, bellow the container
"ou=Groups,o=DASA"

I would like to advise you to put that line just below
the last commented line about external_acl TAG.

#-------------------------------------------
## STEP 4: Allow users to get to the Web

Then we came to the last thing, tell squid the users
that are authenticated also are authorized to access
the web. Use the line below if you want simple
authentication:

http_access allow USERS

And use the line below if you want to authorize
based on LDAP groups:

http_access allow USERS WEBALLOWED

As you can see, I used the acl named and the
external_acl name defined in the steps above.

I believe the best place to put the line above is
just below the line:

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#-------------------------------------------
Look, these are just some lines that I am issuing
trying to help you get a better understanding of
the squid ldap authentication scheme. Those lines
are almost the same I used myself in my Company
squid configuration files, but the IP address and
some particularities in the LDAP filter.

Nonetheless, test every little step (as I did) and
I believe you will become more and more confident
about squid until you seem confident enough to
try for production.

Good luck, also!

Bye,
Fernando Maciel Souto Maior
fernando@araujo.com.br
http://www.araujo.com.br
+55+31 3270-5886

AVISO--------------------------------------------
Esta mensagem pode conter informacao confidencial ou privilegiada.
Se voce nao for o destinatario ou a pessoa autorizada a receber
esta mensagem, nao pode usar, copiar ou divulgar as informacoes
nela contidas ou tomar qualquer acao baseada nessas informacoes.
Se voce recebeu esta mensagem por engano, favor avisar o remetente
imediatamente, respondendo o e-mail e em seguida apagando-o.
Obrigado pela cooperacao.

DISCLAIMER---------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on any information herein. If you have received this message in
error, please advise the sender immediately by replying to this
e-mail and delete this message. Thank you for your cooperation.

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
Received on Mon Sep 22 2003 - 09:12:30 MDT