This setup was tested with OpenBSD 5.1, squid-2.7-ldap, dansguardian-2.10.1.1 and Windows 2008 Server
I will show how to authenticate Squid Proxy in Active Directory using squid_ldap_auth and squid_ldap_group.
The basic for this is:
At squid.conf put
auth_param basic program /usr/local/libexec/squid_ldap_auth -v 3 -R -b dc=yourdomain,dc=com -D cn=”Squid Authenticator”,ou=IT,ou=”Users and Groups”,dc=yourdomain,dc=com -W /etc/squid/passfile -f sAMAccountName=%s 10.20.30.1
external_acl_type proxygroup %LOGIN /usr/local/libexec/squid_ldap_group -v 3 -R -b dc=yourdomain,dc=com -D cn=”Squid Authenticator”,ou=IT,ou=”Users and Groups”,dc=yourdomain,dc=com -W /etc/squid/passfile -f (&(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,ou=Groups,ou=Organization,ou=”Users and Groups”,dc=yourdomain,dc=com)) 10.20.30.1
acl ad_auth proxy_auth REQUIRED
acl netaccess external proxygroup url_regex “/etc/squid/group”
…..
http_access deny !ad_auth
http_access allow netaccess
Quick explanation:
cn=”Squid Authenticator” = Display Name of User account in Active Directory
ou=…., ou… = recursive search to top of domain
/etc/squid/passfile = Contains password of Squid Authenticator account
10.20.30.1 = Ip address of Active Directory
url_regex “/etc/squid/group” = If the group contain spaces, example: Internet Access, put into file called group, if not use:
acl netaccess external proxygroup InternetAccess
where InternetAccess is name of the groupsquid_ldap_group = was used to autheticate users that belong of specific group
dansguardian.conf
Uncomment:
authplugin = ‘/etc/dansguardian/authplugins/proxy-basic.conf’
Tips: Test ldap authenticators with -d param, it is usefull to debug, and test from command line directly.
To squid_ldap_auth, the sintax is: username password
To squid_ldap_group, the sintax is: username group
To Test group with spaces from shell, use: Internet%20Access
That is