How to Proxy Server With LDAP Auth.
Follow this post to install samba with ldap support. I assuming you have configured ldap server for authenticate users in intranet with ip 192.168.1.12 and your proxy server ip is 192.168.202.17. On your proxy server should have direct internet connected with DSL or any modem or direct access to internet from firewall.
login to your linux server and follow the step by step guide.
root@proxy~] # ping www.google.com <---- this to check if internet is working
64 bytes from maa03s04-in-f18.1e100.net (74.125.236.50): icmp_seq=1 ttl=57 time=37.8 ms
root@proxy~]# yum install squid nss_ldap -y
root@proxy~]# cat /etc/squid/squid.conf > /etc/squid/squid.conf.bkp
root@proxy~]# vi /etc/squid/squid.conf (edit some lines as following)
#auth_param basic program /usr/lib/squid/ncsa_auth /usr/local/squid/etc/passwd <-comment this line No.274>
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=server,dc=com" -f "uid=%s" -h 192.168.202.10 -d -v 3 <-- This is for ldap auth>
##external_acl_type used for group authentication from ldap
external_acl_type ldapgroups %LOGIN /usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h ldapserver
acl ldapgroup external ldapgroups squid <--Add this line after line 572. This is for group (squid) auth from ldap>
###deny all other user not in squid group####
http_access deny !ldapgroup
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
To make sure your squid server talk to ldap server run the following command
out put should similar like this if not some thing went wrong.
[root@proxy ~]# /usr/lib/squid/squid_ldap_auth -b "dc=server,dc=com" -f "uid=%s" -h 192.168.202.10 -d -v 3
username password
user filter 'uid=username', searchbase 'dc=yourdomain,dc=com'
attempting to authenticate user 'uid=username,ou=users,dc=yourdomain,dc=com'
OK
[root@proxy ~]# /usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.202.10
username group
OK
Follow this post to install samba with ldap support. I assuming you have configured ldap server for authenticate users in intranet with ip 192.168.1.12 and your proxy server ip is 192.168.202.17. On your proxy server should have direct internet connected with DSL or any modem or direct access to internet from firewall.
login to your linux server and follow the step by step guide.
root@proxy~] # ping www.google.com <---- this to check if internet is working
64 bytes from maa03s04-in-f18.1e100.net (74.125.236.50): icmp_seq=1 ttl=57 time=37.8 ms
root@proxy~]# yum install squid nss_ldap -y
root@proxy~]# cat /etc/squid/squid.conf > /etc/squid/squid.conf.bkp
root@proxy~]# vi /etc/squid/squid.conf (edit some lines as following)
#auth_param basic program /usr/lib/squid/ncsa_auth /usr/local/squid/etc/passwd <-comment this line No.274>
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=server,dc=com" -f "uid=%s" -h 192.168.202.10 -d -v 3 <-- This is for ldap auth>
##external_acl_type used for group authentication from ldap
external_acl_type ldapgroups %LOGIN /usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h ldapserver
acl ldapgroup external ldapgroups squid <--Add this line after line 572. This is for group (squid) auth from ldap>
###deny all other user not in squid group####
http_access deny !ldapgroup
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
To make sure your squid server talk to ldap server run the following command
out put should similar like this if not some thing went wrong.
[root@proxy ~]# /usr/lib/squid/squid_ldap_auth -b "dc=server,dc=com" -f "uid=%s" -h 192.168.202.10 -d -v 3
username password
user filter 'uid=username', searchbase 'dc=yourdomain,dc=com'
attempting to authenticate user 'uid=username,ou=users,dc=yourdomain,dc=com'
OK
[root@proxy ~]# /usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.202.10
username group
OK
hey, thanks for your information,
ReplyDeletebut I want to ask few thing, because I'm still stuck for group testing,
when I try "/usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h myServer" it still "ERR",
how to fix it? and what the meaning for %u or % g, where I can find about it??
thanks before..
Sorry for late reply. Can you send me error details.
Deletehey, i get the same problem with the Anonymous im still stuck for group testing,
Deletewhen I try "/usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h myServer" it still "ERR".
here is my ldap structure:
dn: cn=ramdan firdaus,cn=HRD,ou=groups,dc=ubuntu,dc=id
cn: ramdan firdaus
givenName: ramdan
gidNumber: 501
homeDirectory: /home/users/rfirdaus
sn: firdaus
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: rfirdaus.
thanks before
try this an post output
Delete/usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g))" -h myServer"
This comment has been removed by the author.
Deletethanks for reply. thats work and ther result is "OK". but now can i make a access policy to every group in my ldap? if yes how to do that?
Deletethanks before
yes just add this line to your squid.conf file
Delete/usr/lib/squid/squid_ldap_group -b "dc=yourdomain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.202.10
Note: "memberUid" index should be defined into your ldap or what ever name representing your group.
yes the authentication is work correctly. but i have a scenaryo to allow some group to access the internet and deny any outher, for example i have 2 groups: staff and HRD i want to allow staff to access internet and deny HRD to access internet. how does the ACL to do that?
DeleteThis comment has been removed by the author.
DeleteRead post I mentioned this my post
ReplyDeleteyou have add this line into squid.cof
###deny all other user not in squid group####
http_access deny !ldapgroup
yes i have follwed all the steps in your post, but when i try to enter username and password in the browser the authentication is always failed.
Deletehere is my squid.conf file:
auth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=ubuntu,dc=id" -f "uid=%s" -h 192.168.42.221
external_acl_type ldapgroups %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221
acl ldapgroup external ldapgroups HRD
acl ldapauth proxy_auth REQUIRED
....
http_access deny !ldapgroup
http_access allow ldapauth
i don't know what wrong with my configuration. thanks
send me your squid confi file
Deleteauth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=ubuntu,dc=id" -f "uid=%s" -h 192.168.42.221
Deleteexternal_acl_type ldapgroups %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221
acl ldapgroup external ldapgroups HRD
acl ldapauth proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !ldapgroup
http_access allow ldapauth
http_access allow localhost
http_access allow localnet
http_access deny all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
This comment has been removed by the author.
DeleteThis comment has been removed by the author.
Delete/usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221
Deleteusername groupname <-here enter user id and group name of user who is in HRD or staff group.>
as per you config file only HRD is allowed to access internet, just remove HRD and add staff to allow staff group to access internet others will be deny automatic as "http_access deny all".
Deletethanks for your reply. yes i have run this command: /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221
Deleteand enter user id and group name of user who is in HRD of staff group but the result is always "ERR"
as said before
Delete/usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g))" -h 192.168.42.221
results OK
then can you make confirm HRD and staff both groups are defined in ldap, and both have memberUid index?
yes i have run this command:
Delete/usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g))" -h 192.168.42.221
and enter the username and group name so the result is OK. so which line in my squid.conf file is wrong? or could you give me a good squid config to do what i mean?
thanks before
this is my complete ldap structure:
Delete# ubuntu.id
dn: dc=ubuntu,dc=id
objectClass: top
objectClass: dcObject
objectClass: organization
o: Ubuntu Indonesia
dc: ubuntu
# admin, ubuntu.id
dn: cn=admin,dc=ubuntu,dc=id
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# groups, ubuntu.id
dn: ou=groups,dc=ubuntu,dc=id
objectClass: organizationalUnit
objectClass: top
ou: groups
# staff, groups, ubuntu.id
dn: cn=staff,ou=groups,dc=ubuntu,dc=id
gidNumber: 500
objectClass: posixGroup
objectClass: top
cn: staff
# HRD, groups, ubuntu.id
dn: cn=HRD,ou=groups,dc=ubuntu,dc=id
gidNumber: 501
cn: HRD
objectClass: posixGroup
objectClass: top
# ramdan firdaus, HRD, groups, ubuntu.id
dn: cn=ramdan firdaus,cn=HRD,ou=groups,dc=ubuntu,dc=id
cn: ramdan firdaus
givenName: ramdan
gidNumber: 501
homeDirectory: /home/users/rfirdaus
sn: firdaus
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: rfirdaus
# rafdi jaidi, staff, groups, ubuntu.id
dn: cn=rafdi jaidi,cn=staff,ou=groups,dc=ubuntu,dc=id
cn: rafdi jaidi
givenName: rafdi
gidNumber: 500
homeDirectory: /home/users/rjaidi
sn: jaidi
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1001
uid: rjaidi
This comment has been removed by the author.
DeleteThis comment has been removed by the author.
Deletethis is my current squid.conf file:
Deleteauth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=ubuntu,dc=id" -f "uid=%s" -h 192.168.42.221
external_acl_type ldapgroups %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221
acl ldapgroup external ldapgroups staff
acl ldapauth proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !ldapgroup
http_access allow ldapauth
http_access allow localhost
http_access allow localnet
http_access deny all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
what must i add, remove or change to this squid config?
you have to edit this line and add -d -v 3 in config line.
Deleteauth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=server,dc=com" -f "uid=%s" -h 192.168.202.10 -d -v 3
As I asked memberUid is in your command line but I don't know memberUid is defined in your ldap.
when you runs this command :
/usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g))" -h 192.168.42.221
it prints OK
But when you runs this command:
/usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221
it prints ERR.
Your have to add memberUid index in your group staff and add some user in memberUid.
you have to replace "memberUid" the name of attribute in which you are adding user's in staff group.
Deleteattribute you can find in group name (staff)
as per you squid file only staff is allowed to access internet no need to add any acl to HRD.
not required this details for ldap just print here details of
Deletecn=staff,ou=groups,dc=server,dc=com <--here you may find attribute for user's that will be use in place of memberUid>
i have add memberUid index in group staff and add some user in memberUid.
Deleteand now when i run this command:
/usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221
the result is OK
but i dont understand what you mean about -> you have to replace "memberUid" the name of attribute in which you are adding user's in staff group.
this is my current squid.conf file:
Deleteauth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=ubuntu,dc=id" -f "uid=%s" -h 192.168.42.221 -d -v 3
external_acl_type ldapgroups %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221
acl ldapgroup external ldapgroups staff
acl ldapauth proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !ldapgroup
http_access allow ldapauth
http_access allow localhost
http_access allow localnet
http_access deny all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
the authentication still failed.
ohh finaly it works thanks very much to always respon my comments. the mainaly problem is i have not add the "memberUid" atribute in my ldap group.
Deletehey vikash, currently my squid configuration is allowing internet access for user in staff group and denying internet access for another user in another group.
ReplyDeletebut can i give a internet access policy to every user in groups. for example:
1. user in staff group can access http://www.w3.org/ while user in HRD denied to access http://www.w3.org/
2. both user in staff group and HRD group are allowed to access internet.
thanks before
yes you have to add every user's to that group that is allowed to access internet, in your condition you have to add every user's in staff group.
Deleteno, i mean both user in staff group and HRD group can access internet but every group has it own policy. for example:
Deleteuser in staff group can access http://www.w3.org/ while user in HRD denied to access http://www.w3.org/
how does the acl to do that? thanks for your reply
hey vikash, im sory any idea please to solve my problem?
Deletetry to add HRD group just after staff group in squid confgile
Deletei.e: acl ldapgroup external ldapgroups staff HHRD
thanks for reply. yes i have add HRD group after staff group in squid config file, below is my current squid config file:
Deleteauth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=ubuntu,dc=id" -f "uid=%s" -h 192.168.42.221 -d -v 3
external_acl_type ldapgroups %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=ubuntu,dc=id" -f "(&(cn=%g)(memberUid=%u))" -h 192.168.42.221
acl ldapgroup external ldapgroups staff HRD
acl ldapauth proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.42.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !ldapgroup
http_access allow ldapauth
http_access allow localhost
http_access allow localnet
http_access deny all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
so how does the acl to give the policy to every group(staff and HRD)?
i.e: user in staff group can access http://www.w3.org/ while user in HRD denied to access http://www.w3.org
im sory any idea please to solve my problem
DeleteI got successed ldap group authentication.
DeleteNow I wanted to know how I can give permission for specific site to a user who is not in ldapgroups
and then deny all users who are not in ldapgroups.
I have installed zimbra ldap server and squid in same server with IP address 10.1.1.145 and I am unable to connect to the zimbra ldap.
ReplyDeleteI am posted the error message msg.
[root@zimbra squid]# hostname
zimbra.com
[root@zimbra squid]# /usr/lib64/squid/squid_ldap_auth -v 3 -b "dc=zimbra,dc=com" -f "(&(uid=%s)(objectClass=zimbraAccount))" -h 10.1.1.145 -d
anand anand@123
user filter '(&(uid=anand)(objectClass=zimbraAccount))', searchbase 'dc=zimbra,dc=com'
Ldap search returned nothing
ERR Success
I want to communicate my squid with zimbra ldap server.
Hi...
ReplyDeleteI have an Open-Dj as my LDAP server and trying to authenticate users based on groups from that.
Here is my squid.conf
external_acl_type ldapgroup %LOGIN /usr/lib64/squid/squid_ldap_group -d -R -v 3 -b "dc=example,dc=in" -B "ou=rusers,dc=example,dc=in" -D "cn=manager" -W /root/dspasswd.txt --c 500 -f "(&(uid=%u)(ismemberOf=cn=%g,cn=access,dc=example,dc=in))" -h 10.10.2.25
I'm successfully able to execute command
# /usr/lib64/squid/squid_ldap_group -d -R -v 3 -b "dc=example,dc=in" -B "ou=rusers,dc=example,dc=in" -D "cn=manager" -W /root/dspasswd.txt --c 500 -f "(&(uid=%u)(ismemberOf=cn=%g,cn=access,dc=example,dc=in))" -h 10.10.2.25
Testuser1 squid
OK
But it is not running in squid.
Squid authentication pops up and logs showing TCP_denied.
Kindly help!!!
okkay I solved it...
DeleteJust used ipv4 before %LOGIN because squid trying to bind it using ipv6.Here is the cache log saying this
commBind: Cannot bind socket FD 25 to [::1]: (99) Cannot assign requested address
centos 7 not working
ReplyDelete▷ Casino site with free spins no deposit bonus
ReplyDeleteCasino site with free spins no deposit bonus codes 2021. Register now and start playing. The welcome bonus offers you get luckyclub is Rating: 2.7 · Review by LuckyClub.live
Thank You and that i have a keen offer you: House Renovation Canada cost to gut renovate a house
ReplyDelete