[squid-users] Re: Configuring Squid LDAP Authentication

From: berry guru <berryguru_at_gmail.com>
Date: Wed, 11 Jan 2012 15:27:56 -0800

I came across this configuration online, but it still doesn't work. I
really thought I would of had it on this one, but still not go.

acl lan src 192.168.1.0/25
acl Intranet dstdomain intranet.int
acl lan-intranet dst 192.168.2.2
http_access allow lan
http_access allow Intranet
http_access allow lan-intranet

On Wed, Jan 11, 2012 at 11:37 AM, berry guru <berryguru_at_gmail.com> wrote:
> I wanted to test something, but not quite sure how to do it.  I want
> to see if my Intranet users can authenticate when they go to
> 'companyname-intranet' and are prompted for a login.  When I enable
> the proxy I'm unable to login to the Intranet, but when I disable the
> proxy I can login.  So I'm thinking its an issue with Squid and I need
> to add something to Squid to allow authentication.  I'm I incorrect in
> this assessment?  If so, how do I go about allowing access to that
> site.  Do I do this via an ACL?
>
> On Wed, Jan 11, 2012 at 10:30 AM, berry guru <berryguru_at_gmail.com> wrote:
>> I used the following tutorial online to configure Squid to
>> authenticate with AD, but I still can't get this working.  As most
>> have seen, I also used a tutorial written by one of our mailing list
>> members and that didn't work.  Are others having this much trouble
>> getting Squid to authenticate with there Active Directory server?  So
>> frustrating!
>>
>> Configuring Squid LDAP Authentication
>>
>> The first step is to configure Squid to authenticate
>> usernames/passwords with the Active Directory. You will need to open
>> your Squid configuration file (squid.conf) and make the following
>> changes:
>>
>> Find the auth param section of the config file (TAG: auth_param), and
>> change the auth param basic program line to look like this. (Indented
>> text indicates one line)
>>
>>    auth_param basic program /usr/lib/squid/ldap_auth -R
>>        -b "dc=vm-domain,dc=papercut,dc=com"
>>        -D "cn=Administrator,cn=Users,dc=your,dc=domain,dc=com"
>>        -w "password" -f sAMAccountName=%s -h 192.168.1.75
>>    auth_param basic children 5
>>    auth_param basic realm Your Organisation Name
>>    auth_param basic credentialsttl 5 minutes
>>
>> These settings tell Squid authenticate names/passwords in the Active Directory.
>>
>>    The -b option indicated the LDAP base distinguished name of your
>> domain. E.g. your.domain.com would be dc=your,dc=domain,dc=com
>>    The –D option indicates the user that is used to perform the LDAP
>> query. (e.g an Administrator. This example uses the built-in
>> Administrator user, however you can use another user of your choice.
>>    The –w option is the password for the user specified in the –D
>> option. For better security you can store the password in a file and
>> use the –W /path/to/password_file syntax instead
>>    -h is used to indicate the LDAP server to connect to. E.g. your
>> domain controller.
>>    -R is needed to make Squid authenticate against Windows AD
>>    The –f option is the LDAP query used to lookup the user. In the
>> above example, sAMAccountName=%s, will match if the user’s Windows
>> logon name matches the username entered when prompted by Squid. You
>> can search any value in the LDAP filter query. You may need to use an
>> LDAP search query tool to help get the syntax correct for the –f
>> search filter.
>>    The %s is replaced with what the user enters as their username.
>>
>> Remember to restart Squid to make these changes to come into effect.
Received on Wed Jan 11 2012 - 23:28:02 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 12 2012 - 12:00:02 MST