Squid intigration with windows AD not with ldap/openldap!!!!

[rhcekalyan]

Hi All,

I have configured SQUID-3.1.8-1 on CentOs 5.3. It is working fine now on blocking http & https traffic.
Now I would like to intigrate the squid to windows AD.
Any help regarding this will be appreciated.

Regards
Kalyan Kumar P

[gabolander]

Hi All,

I have configured SQUID-3.1.8-1 on CentOs 5.3. It is working fine now on blocking http & https traffic.
Now I would like to intigrate the squid to windows AD.
Any help regarding this will be appreciated.

Regards
Kalyan Kumar P

Hi Kalyan,
If you mean that you'd like to intergate squid3 as user authentication, I already have my structure working in such way.
I Use a configuration like the following (I only pasted a part of squid conf ...).

auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=www,dc=example,dc=com" -s sub -D "CN=Manager,OU=service accounts,ou=users,dc=www,dc=example,dc=com" -w PasswordOfManager -f "(&(objectClass=person)(sAMAccountName=%s)(membero f=cn=G-proxyusers,ou=Groups,dc=www,dc=example,dc=com))" -u sAMAccountName -P -v 3 -h myAD.ip.address
auth_param basic children 10
auth_param basic realm Authentication Required
auth_param basic credentialsttl 2 hours
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
......
....
acl CONNECT method CONNECT
acl authenticatedusers proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow authenticatedusers
http_access allow localhost
http_access deny all
icp_access deny all
htcp_access deny all
.....

Of course this is a sample, you have to change "dc=www,dc=example,dc=com" with the baseDN of your AD, "PasswordOfManager" with password of your rootdn, and the query strings (-f "(&(objectClass=person)(sAMAccountName=%s)(membero f=cn=G-proxyusers,ou=Groups,dc=www,dc=example,dc=com))) so as to match your needings and AD scheme configuration.. and so on.
The most important rows that activate this features are the ones marked in bold.
You may feel free to change other parameters as you want (e.g. number of children, time to live, etc.)

Hope this help

Gab

[rhcekalyan]

Hi Gabolander,

Thanks for the reply. Well it seems that you have integrated to LDAP right?

[gabolander]

Hi Gabolander,

Thanks for the reply. Well it seems that you have integrated to LDAP right?

Sure, but Active Directory actually IS a LDAP v3, indeed. So, when I do an authentication to an A.D. is similar to doing an authentication to an authentication server based on LDAP. Only attributes and schema differ, but the query is pretty similar and the auth method is the same.

In other cases, where authentication acts as SSO also for other apps in the same user session, even the Kerberos5 authentication must be activated, but in squid only this simple authentication method is needed.

Best,
Gabo

[rhcekalyan]

The thing is...
We have a WINDOWS 2008 AD on X machine. and
Squid proxy server is on Y machine. I am trying to integrate these two. We don't have any LDAP server.
So Can you suggest me how to proceed on this.

Regards
Kalyan Kumar Pasupuleti
RHCE, LDAP, SELinux Certified.

[gabolander]

The thing is...
We have a WINDOWS 2008 AD on X machine. and
Squid proxy server is on Y machine. I am trying to integrate these two. We don't have any LDAP server.
So Can you suggest me how to proceed on this.

Regards
Kalyan Kumar Pasupuleti
RHCE, LDAP, SELinux Certified.

The question is: As "integration" you mean that users that use proxy of Y machine have to be authenticated by AD (Y machine) ?
If so, the answer is in my first post of this thread. You only have to change addresses and distinguished name to match your X machine binding.

Regards,
G.