OpenBSD+Squid+Dansguardian+ldap+Active Directory

This setup was tested with OpenBSD 5.1, squid-2.7-ldap, dansguardian-2.10.1.1 and Windows 2008 Server

I will show how to authenticate Squid Proxy in Active Directory using squid_ldap_auth and squid_ldap_group.

The basic for this is:

At squid.conf put

auth_param basic program /usr/local/libexec/squid_ldap_auth -v 3 -R -b dc=yourdomain,dc=com -D cn=”Squid Authenticator”,ou=IT,ou=”Users and Groups”,dc=yourdomain,dc=com -W /etc/squid/passfile -f sAMAccountName=%s 10.20.30.1

external_acl_type proxygroup %LOGIN /usr/local/libexec/squid_ldap_group -v 3 -R -b dc=yourdomain,dc=com -D cn=”Squid Authenticator”,ou=IT,ou=”Users and Groups”,dc=yourdomain,dc=com -W /etc/squid/passfile -f (&(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,ou=Groups,ou=Organization,ou=”Users and Groups”,dc=yourdomain,dc=com)) 10.20.30.1

acl ad_auth proxy_auth REQUIRED
acl netaccess external proxygroup url_regex “/etc/squid/group”

…..

http_access deny !ad_auth
http_access allow netaccess

Quick explanation:

┬ácn=”Squid Authenticator” = Display Name of User account in Active Directory

ou=…., ou… = recursive search to top of domain

/etc/squid/passfile = Contains password of Squid Authenticator account

10.20.30.1 = Ip address of Active Directory

url_regex “/etc/squid/group” = If the group contain spaces, example: Internet Access, put into file called group, if not use:

acl netaccess external proxygroup InternetAccess
where InternetAccess is name of the group

squid_ldap_group = was used to autheticate users that belong of specific group

dansguardian.conf

Uncomment:

authplugin = ‘/etc/dansguardian/authplugins/proxy-basic.conf’

Tips: Test ldap authenticators with -d param, it is usefull to debug, and test from command line directly.
To squid_ldap_auth, the sintax is: username password
To squid_ldap_group, the sintax is: username group
To Test group with spaces from shell, use: Internet%20Access

That is

This entry was posted in OpenBSD and tagged , , , , , , , . Bookmark the permalink.