Re: [squid-users] User identification and LDAP check for statistics purposes

From: Tim Neto <tneto@dont-contact.us>
Date: Wed, 22 Dec 2004 09:16:01 -0500

Hello Maxime,

The external LDAP helper "squid_ldap_group" only does a group check.
You need to also use the external authentication helper "squid_ldap_auth".

Try something like:
  
------------------------------------------------------------------------------------------------
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param basic program /usr/lib/squid/squid_ldap_auth -h ldapserver -p
port# -P -b "ou=****,dc=******" -f "uid=%s"

auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 minute

external_acl_type ldap_group %IDENT /usr/lib/squid/squid_ldap_group -b
"ou=****,dc=******" -f "uid=%v" -h ldapserver

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0

# acl users ident my_users
acl my_users external ldap_group my_users

http_access allow all my_users
http_access deny all

http_reply_access allow all my_users
http_reply_access deny all

icp_access allow all my_users
icp_access deny all

coredump_dir /var/spool/squid
  
------------------------------------------------------------------------------------------------

Note: the "acl" definitions are logical "or', and the "http_access",
"http_reply_access", and "icp_access" definitions are logical "and".
Also, you never properly referenced the external LDAP group check properly.

Hope this helps. Please reply to the Squid mailing list, so others
may help or improve on my replies. This way all can learn and benefit.

Thanks.

Tim

-----------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer Komatsu Canada Limited
 Ph#: 905-625-6292 x265 1725B Sismet Road
 Fax: 905-625-6348 Mississauga, Canada
 E-Mail: tneto@komatsu.ca L4W 1P9
-----------------------------------------------------------

Maxime Chambreuil wrote:

> Hi squid-users,
>
> I want to setup a proxy server for statistics purposes. So all the
> browsers on the network will be configured to reach the internet
> through Squid.
>
> I want statistics per user, so I am getting the login with identd
> installed on each computers on the network. Security issue about ident
> is not my problem here.
>
> Then I want to check that the username returned by ident is present in
> the LDAP authentication server and allow/deny the internet access
> depending on the users privileges.
>
> After reading the mailing-list and FAQ, I came up with the idea that
> it was possible and with the following configuration:
>
> hierarchy_stoplist cgi-bin ?
>
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> external_acl_type my_users %IDENT /usr/lib/squid/squid_ldap_group -b
> "ou=****,dc=******" -f "uid=%v" -h ldapserver
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl all src 0.0.0.0/0.0.0.0
>
> acl users ident my_users
>
> http_access allow users
> http_access deny all
>
> http_reply_access allow users
> http_reply_access deny all
>
>
> icp_access allow users
> icp_access deny all
>
> coredump_dir /var/spool/squid
>
> Unfortunately this is not working : It doesn't matter if the user is
> in LDAP or not, I was always refused...
>
> I tried to use squid_ldap_group on the command line. It's working if I
> give the username and password, so I wonder how I can get a "OK" just
> if the user is present.
>
> Any help or ideas would be greatly appreciated.
>
> Thanks
Received on Wed Dec 22 2004 - 07:15:59 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST