Kevin Kimani wrote:
Hi guys, Am having a system running squid that authenticates users from the Active Directory. Squid is version 2.6 STABLE6 running in CentOS 5.1. It authenticates users according to the various groups that have been defined in the Active Directory. If i run squid directly, it authenticates users according to their groups but in the case of implementing Dansguardian which is to act as a guard then the authentication of groups fail miserably. but if i just authenticate everyone from the AD, it works well only that it doesnt log the usernames but the IP addresses of the users. #MY CHANGES------------------------------------------------------------------- auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 20 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off ##END HERE-------------------------------------------------------------------- external_acl_type wbinfo_group_helper %LOGIN /usr/lib/squid/wbinfo_group.pl ##MY CHANGES----------------------- acl my_network src 10.1.0.0/20 acl ntlm_users proxy_auth REQUIRED acl usergroup1 external wbinfo_group_helper internetusers acl group1 external wbinfo_group_helper directorsinternet seniormanagers itinternet auditandsystem acl group2 external wbinfo_group_helper hrinternet financeinternet citinternet guardinginternet securitysystems salesandmarketing transportinternet acl user1_ports port 21 25 80 110 443 10000 acl user2_ports port 21 25 80 110 443 acl user3 port 80 443
Squid's http_access rules work on a first-match basis, so...
http_access allow usergroup1
"usergroup1" can surf to anywhere on any port with no restrictions at all.
http_access allow my_network
Now anyone with a source address in 10.1.0.0/20 can do the same. Luckily, since all traffic is coming from Dans Guardian on localhost, this will never match.
http_access allow localhost http_access allow ntlm_users #http_access deny manager http_access allow group1 user1_ports http_access allow group2 user2_ports # And finally deny all other access to this proxy http_access allow SSL_ports
Sweet! Open proxy (for traffic destined for port 443 at least.
http_access deny !Safe_ports http_access deny all
I'd strongly recommend reviewing the FAQ section on ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
##--------------------------------- for Dansguardian filterip = 10.1.0.81 # the port that DansGuardian listens to. filterport = 8080 # the ip of the proxy (default is the loopback - i.e. this server) proxyip = 10.1.0.81 # the port DansGuardian connects to proxy on proxyport = 3128 # Auth plugins # These replace the usernameidmethod* options in previous versions. They # handle the extraction of client usernames from various sources, such as # Proxy-Authorisation headers and ident servers, enabling requests to be # handled according to the settings of the user's filter group. # Multiple plugins can be specified, and will be queried in order until one # of them either finds a username or throws an error. For example, if Squid # is configured with both NTLM and Basic auth enabled, and both the 'proxy-basic' # and 'proxy-ntlm' auth plugins are enabled here, then clients which do not support # NTLM can fall back to Basic without sacrificing access rights. # # If you do not use multiple filter groups, you need not specify this option. # #authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-basic.conf' #authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-digest.conf' authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-ntlm.conf' #authplugin = '/usr/local/etc/dansguardian/authplugins/ident.conf' #authplugin = '/usr/local/etc/dansguardian/authplugins/ip.conf' These are my acls'. They work in my small testing environment but when i try to implement them in the clients environment, they just refuse to work. Could someone please help.
I'd suggest (once you have your Squid ACLs working for a stand-alone Squid install), implementing DG as a parent proxy to Squid. Then again, I'm not familiar with DG, and have no idea of its capabilities with regards to authentication.
Chris
