Hi.
I'm, trying to replace 'ntlm_auth' helper with
'--require-membership-of=' key due to the growing compexity of squid
acls in case of using different authentication schemes simultaneously.
I'm authenticating Active Directory users in AD domain, plus I use the
AD to grant access based on the membership of the user in 'Internet
Users' group. This is achieved by using the key described above and the
'acl myADusers proxy_auth REQUIRED'. However, I'm having some small
amount of local unix users too, who are able to authenticate themselves
through PAM, and some on them need to be allowed to use my proxy, but
most of them don't. So, in this scheme I should add AD users in the
proper group to grant them access to proxy, and some of the local unix
users with valid passwords to the blocking acl to deny the access.
I have read about the squid_ldap_group and decided to use it, because it
restores the config management scheme back to its base. I successfully
created and set up all the needed acls, removed the blocking acls and
start using squid_ldap_group.
However, I've encountered some of regrettable weaknesses in it.
1) the best benefit of using 'ntlm_auth' and
'--require-membership-of=[bla-bla]' was immediate effect on the user.
Immidiately after the adding user in the 'Internet Users' group he was
able to start using proxy. In the case of 'squid_ldap_group' changes are
visible immidiately too, but only when using the helper from a shell.
When using it with the proxy, squid needs to be '-k reconfigure'd after
each LDAP group modification. Can this behavior be evaded ? Is this a
squid limitation or some of my errors in its configuration ?
2) the RFC rfc2254 defined the excaping of the characeters. it doesnt
say that spaces need to be escaped, but, since squid_ldap_group doesn't
accept neither quotes nor doublequotes, I tried to use RFC2254 escaping
when using squid_ldap_group from shell. It doesnt workd, because squid
replaces '\20' to '\5c20' (for some reason). However, the RFC2254
escaping works when using from 'ldapsearch' tool. So at the moment I'm
limited to the use of the AD names without spaces in them. (and the
question is of course - will this be fixed or may be extended ?)
I'm using FreeBSD 6.2, squid 2.6.9 from freebsd ports collection and
openldap-client-2.3.27.
My squid configuration related to the topic follows:
/usr/local/etc/squid/squid.conf
===Cut===
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic program /usr/local/libexec/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid[Kamtelecom]
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
external_acl_type ldap_group %LOGIN
/usr/local/libexec/squid/squid_ldap_group -d \
-b
cn=Users,dc=domain,dc=local \
-f
"(&(cn=%g)(member=%u)(objectClass=group))" \
-F
"sAMAccountname=%s" \
-D
cn=squid,cn=Users,dc=domain,dc=local \
-W
/usr/local/etc/squid/ad.passwd -h 192.168.3.6 -v 3 -p 389
acl ad-internet-users external ldap_group InternetUsers
http_access allow ad-internet-users
===Cut===
/etc/pam.d/squid:
===Cut===
#
# Squid pam auth by drook, 21/02/2006 11:30
#
auth sufficient pam_unix.so no_warn
auth sufficient /usr/local/lib/pam_winbind.so
try_first_pass
auth required pam_deny.so no_warn
===Cut===
Thanks anyway. Eugene.
