Squid PAM authentication and LDAP

[redmat]

Greetings Folks,

This is my first post in this forum. I was not at all a linux guy but due to some circumstances at work (sys admin being not available), I am faced with a problem that require me to seek expert help.

We have a dedicated squid proxy server running on SuSe Linux 8.0. Now according to my limited knowledge this machine is completely different from the file server (running SuSe as well) we have. Therefore, the network users (those having accounts to logon to the network) are different than those who have accounts to access the internet through proxy. Basically, any user who has been added to the squid database is allowed to access the internet.

The problem I am faced with is that we are going to replace the Squid box with a hardware based proxy/cache engine solution which doesn't have any built-in authentication mechanism. While in place this new box will have to pass the authentication requests to some kind of an existing authentication server. Now with my extremely limited knowledge I was able to find that the squid is configured to use PAM authentication mechanism. While on the other hand, the new box supports RADIUS, TACACS+, LDAP, and NTLM. In an effort to dig deeper into this I found out that RADIUS and TACACS+ would require a completely different setup with some new hardware while NTLM is a non-linux solution. LDAP is the only choice I am left with that seem to be the feasible solution (due to limited time and resources) by making some changes to the existing squid proxy SuSe box (and disabling the squid proxy services on the existing box after the installation of new proxy device, making the existing box to serve as the authentication server).

After reading about LDAP, it came to my knowledge that it is a directory server technology that allows the username and passwords to be stored on a centralized location. AND that it uses PAM for user authentication. Now thats what confuses me. LDAP also uses PAM and running Squid is also using PAM. With default SuSe installation on the existing proxy server, I don't think there is LDAP installed and configured to use PAM to authenticate internet users. I do know that, whenever a new user required access to the internet, she was added to the squid's user database and not to any LDAP database.

Can anyone of you fine folks here help me verify that if there is any LDAP service running on the existing proxy server. And IF LDAP is NOT installed then what would be the best way to achieve the solution to this problem? How can I install LDAP on the existing proxy server and make the existing squid user database integrate with it? The LDAP parameters required by the new proxy device are cn=, dc=, ou=, and Search group. What would be the best possible way to make the existing proxy box serve as the authentication server (and not proxy) with LDAP, for the new proxy device.

Any help in this reqard is highly appreciated.

Thank you for your cooperation.

Kind Regards,
-redmat

[macxcool]

We have a dedicated squid proxy server running on SuSe Linux 8.0. Now according to my limited knowledge this machine is completely different from the file server (running SuSe as well) we have. Therefore, the network users (those having accounts to logon to the network) are different than those who have accounts to access the internet through proxy. Basically, any user who has been added to the squid database is allowed to access the internet. The problem I am faced with is that we are going to replace the Squid box with a hardware based proxy/cache engine solution which doesn't have any built-in authentication mechanism. While in place this new box will have to pass the authentication requests to some kind of an existing authentication server. Now with my extremely limited knowledge I was able to find that the squid is configured to use PAM authentication mechanism.

In Linux, PAM (Pluggable Authentication Module) is an extensible generic authentication system designed to be flexible enough to allow any software (written for the purpose) to authenticate to an arbitrary database. The software doesn't need to know anything about the authentication mechanism; PAM handles everything.

While on the other hand, the new box supports RADIUS, TACACS+, LDAP, and NTLM. In an effort to dig deeper into this I found out that RADIUS and TACACS+ would require a completely different setup with some new hardware while NTLM is a non-linux solution. LDAP is the only choice I am left with that seem to be the feasible solution (due to limited time and resources) by making some changes to the existing squid proxy SuSe box (and disabling the squid proxy services on the existing box after the installation of new proxy device, making the existing box to serve as the authentication server).

After reading about LDAP, it came to my knowledge that it is a directory server technology that allows the username and passwords to be stored on a centralized location. AND that it uses PAM for user authentication.

LDAP doesn't use PAM. That doesn't make any sense. PAM can be configured to use an LDAP database for authentication (LDAP, by the way is the same protocol used by Microsoft's 'Active Directory' and Novell's 'eDirectory (formerly NDS'.

Now thats what confuses me. LDAP also uses PAM and running Squid is also using PAM. With default SuSe installation on the existing proxy server, I don't think there is LDAP installed and configured to use PAM to authenticate internet users. I do know that, whenever a new user required access to the internet, she was added to the squid's user database and not to any LDAP database.

Can anyone of you fine folks here help me verify that if there is any LDAP service running on the existing proxy server. And IF LDAP is NOT installed then what would be the best way to achieve the solution to this problem? How can I install LDAP on the existing proxy server and make the existing squid user database integrate with it? The LDAP parameters required by the new proxy device are cn=, dc=, ou=, and Search group. What would be the best possible way to make the existing proxy box serve as the authentication server (and not proxy) with LDAP, for the new proxy device.

It is very unlikely that LDAP is installed. It would only be installed and configured if it was being used and it probably wouldn't be on the proxy server. LDAP is meant to be a central database and would be for the whole organization if it were being used. To be sure, try 'ps ax|grep slapd' at the command line. 'slapd' is the OpenLDAP server. Where are the accounts used for the file server stored? Are you just running Linux or are there Windows server too?


Mark Coolen