Note that you probably need kernel-devel openldap-devel packages on your system.
Make sure that your squid is compiled with ldap support. If not already so, you can reconfigure your squid by re-running './configure' as follows:
]# ./configure --sysconfdir=/etc/squid --bindir=/usr/sbin --includedir=/usr/include --localstatedir=/var --with-logdir=/var/log/squid --datadir=/usr/share --libexecdir=/usr/lib/squid --enable-basic-auth-helpers="LDAP MSNT NCSA" --enable-external-acl-helpers="ip_user ldap_group unix_group wbinfo_group"
Then in your squid.conf you should configure authentication by modifying the auth paragraph/directives
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "ou=yourou,o=yourorg" -f "uid=%s" -h your_ldap_server.domain.com
auth_param basic children 10
auth_param basic realm "Domain.Org Proxy-Cache"
auth_param basic credentialsttl 5 minutes
To be able to filter users with ldap groups, you need to configure external acl like:
external_acl_type ldap_groups %LOGIN /usr/lib/squid/squid_ldap_group -b "ou=your_ou,o=your_org" -f "(&(cn=%g)(memberUid=%u))" -h your_ldap_server.domain.com
On the acls, you specify the handle for your auth
acl ldap_authenticated proxy_auth REQUIRED
acl allowed_groups external ldap_groups mygroup
acl subnet1 src 10.0.0.0/255.255.0.0
Then finally on the http_access section:
http_access allow subnet1 ldap_authenticated allowed_groups
Here, you should remember that squid access rules are read sequencially top-down and when a match is found, processing stops. so the order of your access/deny directives matter very much.
The above statement matches all users in subnet1 who are successfully authenticated and belong to ldap group 'mygroup'
Test your setup to see if auth is working ok, On the command prompt run:
/usr/lib/squid/squid_ldap_auth -b "ou=yourou,o=yourorg" -f "uid=%s" -h your_ldap_server.domain.com
and supply a username 'space' password
If it returns 'OK' then your auth is setup ok. Make sure there is only a single space between username and password
As a bonus: you may consider immunising your squid conf
]# chattr +i /etc/squid/squid.conf
This has been tested against Centos 5.3 squid-3.0.STABLE12 installed from source.
This comment has been removed by the author.
ReplyDeleteThanks for the blog , this solved my problem .
ReplyDelete