Search squid archive

Re: [squid-users] how to authenticate with Active Directory?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


If you want to use 'Basic' Auth whereby when a user requests access to the internet they are asked for their active directory username and password, you need to define a few things.

First the source of the authentication, in this case the LDAP service from your active directory server.
Something like this:

auth_param basic program /usr/lib/squid/ldap_auth -b <BaseDN of where active directory is> -f (cn=%s) -H ldap://active_directory_hostname

Next is an new type of ACL (access control list) called 'external' which makes squid consult another source to find out whether some object is allowed or not. Something like this:

external_acl_type internetusersgroup %LOGIN /usr/lib/squid/squid_ldap_group -b <BaseDN where active directory is> -f (&(cn=%u)(memberOf=%g)) -H ldap://active_directory_host -S

Then you need to define an ordinary ACL that calls the proxy authentication request - so the user sees the username/password dialog:

acl authenticate_user proxy_auth REQUIRED

Finally an ACL that says ask the external ACL type you defined if the user is in the group:

acl internetusers external internetusersgroup cn=internetusers,<BaseDN of active directory as above>

Then you can say

http_access allow internetusers authenticated_user

So if the user enters their credentials AND is in the active directory group you defined, then they will be allowed access.

Obviously you will need more settings such as further http_access rules for your site and there are several timeout settings associated with this setup.

The various components are reasonably well documented. Most of the answers are there.

cheers

r.

AybOwan!

this is my first question for the list.

i want to deploy a proxy server for my company to manage
authentication for internet users. our main network is running on
windows 2000 server domain. i created a group on active directory
called "internetusers". i need to enable all "internetusers" group
members to browse internet. how can i do this by deploying squid-cache
proxy server?

Linux Distro:- mandrake 10.2 official
windows version:- windows 2000 server
have 1 adsl router+2 nics.

can you please, guide me to success my project

--
Linux everywhere


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux