Tuesday 1 February 2011

Configuring squid proxy for ldap authentication

This article is intended for someone with prior knowledge of how squid proxy server works. It seeks to summarise and simplify the process of configuring squid to authenticate against an ldap directory and possibly setup access controls to web resources against ldap groups.

Note that you probably need kernel-devel openldap-devel packages on your system.

Make sure that your squid is compiled with ldap support. If not already so, you can reconfigure your squid by re-running './configure' as follows:

]# ./configure --sysconfdir=/etc/squid --bindir=/usr/sbin --includedir=/usr/include --localstatedir=/var --with-logdir=/var/log/squid --datadir=/usr/share --libexecdir=/usr/lib/squid --enable-basic-auth-helpers="LDAP MSNT NCSA" --enable-external-acl-helpers="ip_user ldap_group unix_group wbinfo_group"

Then in your squid.conf you should configure authentication by modifying the auth paragraph/directives

auth_param basic program /usr/lib/squid/squid_ldap_auth -b "ou=yourou,o=yourorg" -f "uid=%s" -h your_ldap_server.domain.com
auth_param basic children 10
auth_param basic realm "Domain.Org Proxy-Cache"
auth_param basic credentialsttl 5 minutes

To be able to filter users with ldap groups, you need to configure external acl like:

external_acl_type ldap_groups %LOGIN /usr/lib/squid/squid_ldap_group -b "ou=your_ou,o=your_org" -f "(&(cn=%g)(memberUid=%u))" -h your_ldap_server.domain.com

On the acls, you specify the handle for your auth

acl ldap_authenticated proxy_auth REQUIRED
acl allowed_groups external ldap_groups mygroup
acl subnet1 src

Then finally on the http_access section:

http_access allow subnet1 ldap_authenticated allowed_groups

Here, you should remember that squid access rules are read sequencially top-down and when a match is found, processing stops. so the order of your access/deny directives matter very much.
The above statement matches all users in subnet1 who are successfully authenticated and belong to ldap group 'mygroup'

Test your setup to see if auth is working ok, On the command prompt run:
/usr/lib/squid/squid_ldap_auth -b "ou=yourou,o=yourorg" -f "uid=%s" -h your_ldap_server.domain.com

and supply a username 'space' password
If it returns 'OK' then your auth is setup ok. Make sure there is only a single space between username and password

As a bonus: you may consider immunising your squid conf
]# chattr +i /etc/squid/squid.conf

This has been tested against Centos 5.3 squid-3.0.STABLE12 installed from source.