Re: [squid-users] Ldap Auth Suggestions

From: Fernando Maior <[email protected]>
Date: 14 May 2003 12:36:19 -0300

>From my experience.

1. First of all, install Squid 2.5.
2. For authentication, you should use
   squid_ldap_auth, as told by other
   people in this list.
3. Next, you want to verify if the user
   that is authenticated by squid_ldap_auth
   is authorised to retrieve the home page.
   For that you should use squid_ldap_group.
4. Read the man pages for squid_ldap_auth and
   squid_ldap_group.

After all, lets see an example:

1) Configuring OpenLDAP.
You should go to /etc/openldap and edit both
slapd.conf and ldap.conf; I am using OpenLDAP
version 2.1.16, from Conectiva Linux 9, and I
have all my users under ou=Users,o=Company;
all my groups are under ou=Groups,o=Company.

------ slapd.conf -------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
schemacheck on
 
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
 
TLSCertificateFile /etc/openldap/ssl/dummy.crt
TLSCertificateKeyFile /etc/openldap/ssl/dummy.key
 
allow bind_v2
database bdb
suffix "o=Company"
rootdn "cn=admin,o=Company"
rootpw {MD5}asdjfadjasja==
directory /var/lib/openldap-data

index cn,sn,uid,rid pres,eq
index objectClass,uidNumber,gidNumber,memberUid eq
index mail,mailAlternateAddress eq
lastmod on
                                                                           access to *
  by dn="cn=admin,o=Company" write
  by dn="cn=root,ou=Users,o=Company" write
  by self write
  by * read

------ ldap.conf ------
sizelimit 1000
timelimit 15
deref never
 
host localhost
base o=Company
 
nss_base_passwd o=Company?sub
nss_base_shadow o=Company?sub
nss_base_group ou=Groups,o=Company?one

ssl no
pam_password md5

------- end ---------

Please, refer to LDAP docs about the use of
ldap.conf and slapd.conf; look at openldap.org
for that. Also, it is a very good idea to remove
/etc/ldap.conf and create a hard link to
/etc/openldap/ldap.conf, like this:

# rm -f /etc/ldap.conf
# ln /etc/openldap/ldap.conf /etc/ldap.conf

So, for now, our LDAP database is configured.
Start the server and fill the database with
data.

Next, lets configure squid for authentication
agains LDAP. Edit /etc/squid/squid.conf and
search for "auth_param". I am using (the first
and second lines are actually the same line
but my mail client insists in wrapping them:):

auth_param basic program /usr/lib/squid/squid_ldap_auth
-u cn -b ou=Users,o=Company -f (uid=%s) -h localhost
auth_param basic children 5
auth_param basic realm Proxy HTTP Company
auth_param basic credentialsttl 10 minutes

And some lines later:

acl LAN src 192.168.1.0/24
acl Autorized proxy_auth REQUIRED
http_access allow Autorized

Save and start squid. From now on, squid will
ask for you user/password and authenticates it
against LDAP.

Now for squid_ldap_group, I have not the
experience, so refer to Nordstrom and Flavio
Pescuma, they are the ones.

-- 
Bye,
Fernando Maciel Souto Maior
fernando@araujo.com.br
http://www.araujo.com.br
+55+31 3270-5886
Received on Wed May 14 2003 - 09:40:06 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:40 MST