Sunday, April 28, 2013

how to squid with ldap auth users and groups

                                 How to Proxy Server With LDAP Auth.

Follow this post to install samba with ldap support. I assuming you have configured ldap server for authenticate users in intranet with ip 192.168.1.12 and your proxy server ip is 192.168.202.17. On your proxy server should have direct internet connected with DSL or any modem or direct access to internet from firewall.


login to your linux server and follow the step by step guide.

root@proxy~] # ping www.google.com   <---- this to check if internet is working
64 bytes from maa03s04-in-f18.1e100.net (74.125.236.50): icmp_seq=1 ttl=57 time=37.8 ms
root@proxy~]# yum install squid nss_ldap -y
root@proxy~]# cat /etc/squid/squid.conf > /etc/squid/squid.conf.bkp
root@proxy~]# vi /etc/squid/squid.conf (edit some lines as following)
#auth_param basic program /usr/lib/squid/ncsa_auth /usr/local/squid/etc/passwd <-comment this line No.274>
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=server,dc=com" -f "uid=%s" -h 192.168.202.10 -d -v 3  <-- This is for ldap auth>

##external_acl_type used for group authentication from ldap
external_acl_type ldapgroups %LOGIN /usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h ldapserver
acl ldapgroup external ldapgroups squid <--Add this line after line 572. This is for group (squid) auth from ldap>
###deny all other user not in squid group####
http_access deny !ldapgroup

acl ldapauth proxy_auth REQUIRED
http_access allow  ldapauth

To make sure your squid server talk to ldap server run the following command
 out put should similar like this if not some thing  went wrong.
[root@proxy ~]# /usr/lib/squid/squid_ldap_auth -b "dc=server,dc=com" -f "uid=%s" -h 192.168.202.10 -d -v 3  
username password

user filter 'uid=username', searchbase 'dc=yourdomain,dc=com'
attempting to authenticate user 'uid=username,ou=users,dc=yourdomain,dc=com'
OK

[root@proxy ~]# /usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.202.10
username group
OK






43 comments:

  1. hey, thanks for your information,
    but I want to ask few thing, because I'm still stuck for group testing,
    when I try "/usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h myServer" it still "ERR",
    how to fix it? and what the meaning for %u or % g, where I can find about it??
    thanks before..

    ReplyDelete
    Replies
    1. Sorry for late reply. Can you send me error details.

      Delete
    2. hey, i get the same problem with the Anonymous im still stuck for group testing,
      when I try "/usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h myServer" it still "ERR".
      here is my ldap structure:
      dn: cn=ramdan firdaus,cn=HRD,ou=groups,dc=ubuntu,dc=id
      cn: ramdan firdaus
      givenName: ramdan
      gidNumber: 501
      homeDirectory: /home/users/rfirdaus
      sn: firdaus
      objectClass: inetOrgPerson
      objectClass: posixAccount
      objectClass: top
      uidNumber: 1000
      uid: rfirdaus.

      thanks before

      Delete
    3. try this an post output

      /usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g))" -h myServer"

      Delete
    4. This comment has been removed by the author.

      Delete
    5. thanks for reply. thats work and ther result is "OK". but now can i make a access policy to every group in my ldap? if yes how to do that?
      thanks before

      Delete
    6. yes just add this line to your squid.conf file

      /usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.202.10

      Note: "memberUid" index should be defined into your ldap or what ever name representing your group.

      Delete
    7. yes the authentication is work correctly. but i have a scenaryo to allow some group to access the internet and deny any outher, for example i have 2 groups: staff and HRD i want to allow staff to access internet and deny HRD to access internet. how does the ACL to do that?

      Delete
    8. This comment has been removed by the author.

      Delete
  2. Read post I mentioned this my post
    you have add this line into squid.cof

    ###deny all other user not in squid group####
    http_access deny !ldapgroup

    ReplyDelete
    Replies
    1. yes i have follwed all the steps in your post, but when i try to enter username and password in the browser the authentication is always failed.
      here is my squid.conf file:

      auth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=ubuntu,dc=id" -f "uid=%s" -h 192.168.42.221

      external_acl_type ldapgroups %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221

      acl ldapgroup external ldapgroups HRD

      acl ldapauth proxy_auth REQUIRED

      ....

      http_access deny !ldapgroup
      http_access allow ldapauth

      i don't know what wrong with my configuration. thanks

      Delete
    2. send me your squid confi file

      Delete
    3. auth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=ubuntu,dc=id" -f "uid=%s" -h 192.168.42.221

      external_acl_type ldapgroups %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221

      acl ldapgroup external ldapgroups HRD

      acl ldapauth proxy_auth REQUIRED

      acl manager proto cache_object
      acl localhost src 127.0.0.1/32 ::1
      acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

      acl localnet src 192.168.1.0/24

      acl SSL_ports port 443
      acl Safe_ports port 80 # http
      acl Safe_ports port 21 # ftp
      acl Safe_ports port 443 # https
      acl Safe_ports port 70 # gopher
      acl Safe_ports port 210 # wais
      acl Safe_ports port 1025-65535 # unregistered ports
      acl Safe_ports port 280 # http-mgmt
      acl Safe_ports port 488 # gss-http
      acl Safe_ports port 591 # filemaker
      acl Safe_ports port 777 # multiling http
      acl CONNECT method CONNECT

      http_access allow manager localhost
      http_access deny manager
      http_access deny !Safe_ports
      http_access deny CONNECT !SSL_ports

      http_access deny !ldapgroup
      http_access allow ldapauth

      http_access allow localhost
      http_access allow localnet
      http_access deny all

      http_port 3128

      coredump_dir /var/spool/squid3
      refresh_pattern ^ftp: 1440 20% 10080
      refresh_pattern ^gopher: 1440 0% 1440
      refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
      refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
      refresh_pattern . 0 20% 4320

      Delete
    4. This comment has been removed by the author.

      Delete
    5. This comment has been removed by the author.

      Delete
    6. /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221
      username groupname <-here enter user id and group name of user who is in HRD or staff group.>

      Delete
    7. as per you config file only HRD is allowed to access internet, just remove HRD and add staff to allow staff group to access internet others will be deny automatic as "http_access deny all".

      Delete
    8. thanks for your reply. yes i have run this command: /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221
      and enter user id and group name of user who is in HRD of staff group but the result is always "ERR"

      Delete
    9. as said before
      /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g))" -h 192.168.42.221
      results OK
      then can you make confirm HRD and staff both groups are defined in ldap, and both have memberUid index?

      Delete
    10. yes i have run this command:
      /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g))" -h 192.168.42.221
      and enter the username and group name so the result is OK. so which line in my squid.conf file is wrong? or could you give me a good squid config to do what i mean?
      thanks before

      Delete
    11. this is my complete ldap structure:
      # ubuntu.id
      dn: dc=ubuntu,dc=id
      objectClass: top
      objectClass: dcObject
      objectClass: organization
      o: Ubuntu Indonesia
      dc: ubuntu

      # admin, ubuntu.id
      dn: cn=admin,dc=ubuntu,dc=id
      objectClass: simpleSecurityObject
      objectClass: organizationalRole
      cn: admin
      description: LDAP administrator

      # groups, ubuntu.id
      dn: ou=groups,dc=ubuntu,dc=id
      objectClass: organizationalUnit
      objectClass: top
      ou: groups

      # staff, groups, ubuntu.id
      dn: cn=staff,ou=groups,dc=ubuntu,dc=id
      gidNumber: 500
      objectClass: posixGroup
      objectClass: top
      cn: staff

      # HRD, groups, ubuntu.id
      dn: cn=HRD,ou=groups,dc=ubuntu,dc=id
      gidNumber: 501
      cn: HRD
      objectClass: posixGroup
      objectClass: top

      # ramdan firdaus, HRD, groups, ubuntu.id
      dn: cn=ramdan firdaus,cn=HRD,ou=groups,dc=ubuntu,dc=id
      cn: ramdan firdaus
      givenName: ramdan
      gidNumber: 501
      homeDirectory: /home/users/rfirdaus
      sn: firdaus
      objectClass: inetOrgPerson
      objectClass: posixAccount
      objectClass: top
      uidNumber: 1000
      uid: rfirdaus

      # rafdi jaidi, staff, groups, ubuntu.id
      dn: cn=rafdi jaidi,cn=staff,ou=groups,dc=ubuntu,dc=id
      cn: rafdi jaidi
      givenName: rafdi
      gidNumber: 500
      homeDirectory: /home/users/rjaidi
      sn: jaidi
      objectClass: inetOrgPerson
      objectClass: posixAccount
      objectClass: top
      uidNumber: 1001
      uid: rjaidi

      Delete
    12. This comment has been removed by the author.

      Delete
    13. This comment has been removed by the author.

      Delete
    14. this is my current squid.conf file:

      auth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=ubuntu,dc=id" -f "uid=%s" -h 192.168.42.221

      external_acl_type ldapgroups %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221

      acl ldapgroup external ldapgroups staff

      acl ldapauth proxy_auth REQUIRED

      acl manager proto cache_object
      acl localhost src 127.0.0.1/32 ::1
      acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

      acl localnet src 192.168.1.0/24

      acl SSL_ports port 443
      acl Safe_ports port 80 # http
      acl Safe_ports port 21 # ftp
      acl Safe_ports port 443 # https
      acl Safe_ports port 70 # gopher
      acl Safe_ports port 210 # wais
      acl Safe_ports port 1025-65535 # unregistered ports
      acl Safe_ports port 280 # http-mgmt
      acl Safe_ports port 488 # gss-http
      acl Safe_ports port 591 # filemaker
      acl Safe_ports port 777 # multiling http
      acl CONNECT method CONNECT

      http_access allow manager localhost
      http_access deny manager
      http_access deny !Safe_ports
      http_access deny CONNECT !SSL_ports

      http_access deny !ldapgroup
      http_access allow ldapauth

      http_access allow localhost
      http_access allow localnet
      http_access deny all

      http_port 3128

      coredump_dir /var/spool/squid3
      refresh_pattern ^ftp: 1440 20% 10080
      refresh_pattern ^gopher: 1440 0% 1440
      refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
      refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
      refresh_pattern . 0 20% 4320

      what must i add, remove or change to this squid config?

      Delete
    15. you have to edit this line and add -d -v 3 in config line.

      auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=server,dc=com" -f "uid=%s" -h 192.168.202.10 -d -v 3

      As I asked memberUid is in your command line but I don't know memberUid is defined in your ldap.



      when you runs this command :
      /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g))" -h 192.168.42.221
      it prints OK

      But when you runs this command:
      /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221

      it prints ERR.

      Your have to add memberUid index in your group staff and add some user in memberUid.


      Delete
    16. you have to replace "memberUid" the name of attribute in which you are adding user's in staff group.

      attribute you can find in group name (staff)

      as per you squid file only staff is allowed to access internet no need to add any acl to HRD.

      Delete
    17. not required this details for ldap just print here details of

      cn=staff,ou=groups,dc=server,dc=com <--here you may find attribute for user's that will be use in place of memberUid>

      Delete
    18. i have add memberUid index in group staff and add some user in memberUid.
      and now when i run this command:
      /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221
      the result is OK

      but i dont understand what you mean about -> you have to replace "memberUid" the name of attribute in which you are adding user's in staff group.

      Delete
    19. this is my current squid.conf file:

      auth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=ubuntu,dc=id" -f "uid=%s" -h 192.168.42.221 -d -v 3

      external_acl_type ldapgroups %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221

      acl ldapgroup external ldapgroups staff

      acl ldapauth proxy_auth REQUIRED

      acl manager proto cache_object
      acl localhost src 127.0.0.1/32 ::1
      acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

      acl localnet src 192.168.1.0/24

      acl SSL_ports port 443
      acl Safe_ports port 80 # http
      acl Safe_ports port 21 # ftp
      acl Safe_ports port 443 # https
      acl Safe_ports port 70 # gopher
      acl Safe_ports port 210 # wais
      acl Safe_ports port 1025-65535 # unregistered ports
      acl Safe_ports port 280 # http-mgmt
      acl Safe_ports port 488 # gss-http
      acl Safe_ports port 591 # filemaker
      acl Safe_ports port 777 # multiling http
      acl CONNECT method CONNECT

      http_access allow manager localhost
      http_access deny manager
      http_access deny !Safe_ports
      http_access deny CONNECT !SSL_ports

      http_access deny !ldapgroup
      http_access allow ldapauth

      http_access allow localhost
      http_access allow localnet
      http_access deny all

      http_port 3128

      coredump_dir /var/spool/squid3
      refresh_pattern ^ftp: 1440 20% 10080
      refresh_pattern ^gopher: 1440 0% 1440
      refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
      refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
      refresh_pattern . 0 20% 4320


      the authentication still failed.

      Delete
    20. ohh finaly it works thanks very much to always respon my comments. the mainaly problem is i have not add the "memberUid" atribute in my ldap group.

      Delete
  3. hey vikash, currently my squid configuration is allowing internet access for user in staff group and denying internet access for another user in another group.
    but can i give a internet access policy to every user in groups. for example:
    1. user in staff group can access http://www.w3.org/ while user in HRD denied to access http://www.w3.org/
    2. both user in staff group and HRD group are allowed to access internet.


    thanks before

    ReplyDelete
    Replies
    1. yes you have to add every user's to that group that is allowed to access internet, in your condition you have to add every user's in staff group.

      Delete
    2. no, i mean both user in staff group and HRD group can access internet but every group has it own policy. for example:
      user in staff group can access http://www.w3.org/ while user in HRD denied to access http://www.w3.org/

      how does the acl to do that? thanks for your reply

      Delete
    3. hey vikash, im sory any idea please to solve my problem?

      Delete
    4. try to add HRD group just after staff group in squid confgile
      i.e: acl ldapgroup external ldapgroups staff HHRD

      Delete
    5. thanks for reply. yes i have add HRD group after staff group in squid config file, below is my current squid config file:

      auth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=ubuntu,dc=id" -f "uid=%s" -h 192.168.42.221 -d -v 3

      external_acl_type ldapgroups %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221

      acl ldapgroup external ldapgroups staff HRD

      acl ldapauth proxy_auth REQUIRED

      acl manager proto cache_object
      acl localhost src 127.0.0.1/32 ::1
      acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

      acl localnet src 192.168.42.0/24

      acl SSL_ports port 443
      acl Safe_ports port 80 # http
      acl Safe_ports port 21 # ftp
      acl Safe_ports port 443 # https
      acl Safe_ports port 70 # gopher
      acl Safe_ports port 210 # wais
      acl Safe_ports port 1025-65535 # unregistered ports
      acl Safe_ports port 280 # http-mgmt
      acl Safe_ports port 488 # gss-http
      acl Safe_ports port 591 # filemaker
      acl Safe_ports port 777 # multiling http
      acl CONNECT method CONNECT


      http_access allow manager localhost
      http_access deny manager
      http_access deny !Safe_ports
      http_access deny CONNECT !SSL_ports


      http_access deny !ldapgroup
      http_access allow ldapauth

      http_access allow localhost
      http_access allow localnet
      http_access deny all

      http_port 3128

      coredump_dir /var/spool/squid3
      refresh_pattern ^ftp: 1440 20% 10080
      refresh_pattern ^gopher: 1440 0% 1440
      refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
      refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
      refresh_pattern . 0 20% 4320

      so how does the acl to give the policy to every group(staff and HRD)?
      i.e: user in staff group can access http://www.w3.org/ while user in HRD denied to access http://www.w3.org

      Delete
    6. im sory any idea please to solve my problem

      Delete
    7. I got successed ldap group authentication.

      Now I wanted to know how I can give permission for specific site to a user who is not in ldapgroups
      and then deny all users who are not in ldapgroups.

      Delete
  4. I have installed zimbra ldap server and squid in same server with IP address 10.1.1.145 and I am unable to connect to the zimbra ldap.

    I am posted the error message msg.

    [root@zimbra squid]# hostname
    zimbra.com
    [root@zimbra squid]# /usr/lib64/squid/squid_ldap_auth -v 3 -b "dc=zimbra,dc=com" -f "(&(uid=%s)(objectClass=zimbraAccount))" -h 10.1.1.145 -d
    anand anand@123
    user filter '(&(uid=anand)(objectClass=zimbraAccount))', searchbase 'dc=zimbra,dc=com'
    Ldap search returned nothing
    ERR Success

    I want to communicate my squid with zimbra ldap server.

    ReplyDelete
  5. Hi...
    I have an Open-Dj as my LDAP server and trying to authenticate users based on groups from that.
    Here is my squid.conf

    external_acl_type ldapgroup %LOGIN /usr/lib64/squid/squid_ldap_group -d -R -v 3 -b "dc=example,dc=in" -B "ou=rusers,dc=example,dc=in" -D "cn=manager" -W /root/dspasswd.txt --c 500 -f "(&(uid=%u)(ismemberOf=cn=%g,cn=access,dc=example,dc=in))" -h 10.10.2.25

    I'm successfully able to execute command
    # /usr/lib64/squid/squid_ldap_group -d -R -v 3 -b "dc=example,dc=in" -B "ou=rusers,dc=example,dc=in" -D "cn=manager" -W /root/dspasswd.txt --c 500 -f "(&(uid=%u)(ismemberOf=cn=%g,cn=access,dc=example,dc=in))" -h 10.10.2.25
    Testuser1 squid
    OK

    But it is not running in squid.
    Squid authentication pops up and logs showing TCP_denied.

    Kindly help!!!

    ReplyDelete
    Replies
    1. okkay I solved it...
      Just used ipv4 before %LOGIN because squid trying to bind it using ipv6.Here is the cache log saying this

      commBind: Cannot bind socket FD 25 to [::1]: (99) Cannot assign requested address

      Delete
  6. ▷ Casino site with free spins no deposit bonus
    Casino site with free spins no deposit bonus codes 2021. Register now and start playing. The welcome bonus offers you get luckyclub is  Rating: 2.7 · ‎Review by LuckyClub.live

    ReplyDelete