Getting squid proxy to authenticate with AD or LDAP

PROXYraspbiansquid

So, I've been running a project lately, which is to mount a Squid proxy on Raspbian (on Raspberry pi via webmin). This project is divided into two parts;

The first, which I have already completed, is to configure a Squid that works transparently for the user.
The second one (which is the one that is driving me crazy and is totally independent from the first part), consists of configuring a proxy which authenticates with an active directory (either LDAP or AD) Obviously the process will be somewhat different but at least if I can do it with one of them , I will be able to do the other), so that, (preferably **), when a user tries to access the internet, a screen pops up asking for the username and password, in order to control which users / groups of the directory can access to the internet and apply different ACLs to different users.

** I have put preferably since I have been reading that when configuring squid proxy to be authenticated in an active directory, it detects which user is trying to access and the authentication screen is no longer necessary, but I could not confirm it since I have not arrived to make the proxy work in this way.

While I have not documented the process, I can provide the tutorial that I have followed to the letter (except for some commands and configurations that have changed due to software updates …). It is the following:

https://www.howtoforge.com/debian-squeeze-squid-kerberos-ldap-authentication-active-directory-integration-and-cyfin-reporter

As I say, I followed the tutorial to the letter, but I have not managed to make the proxy work, or at least, I have not got any user to surf the Internet, so after a time of unsuccessful testing I come here to ask if there is Some way of doing what I need: the fact that only users authenticated in the AD can make use of the proxy, and that ACLs can be applied on these (or perhaps on groups of users).

If this is possible, I would appreciate someone giving me some information on how I can do this or at least some more recent tutorial that I can follow.

Thank you very much in advance and I hope that someone can help me with this.

Best Answer

Note that in transparent proxy deployment the browser is not aware of the proxy, thus the browser refuses to present any user credentials to unknown requestor. In order to use proxy authentication you must configure your browser to explicitly connect to the proxy (default port 3128 in case of Squid).

Having switched to explicit proxy deployment, you need to configure Squid to use authenticators that will perform AD/LDAP authentication on behalf of Squid. The long guide for Active Directory integration is at https://docs.diladele.com/administrator_guide_6_4/active_directory/index.html. In short - use Negotiate/NTLM, NTLM or Basic LDAP authentication helpers.

Related Solutions

Squid Proxy – Active Directory Authentication

I'm using Squid as a non-transparent proxy to authenticate (and database) user access to web sites in production and it works very well.

I'm running it on Win32, so the integration with Active Directory has been pretty painless. As such, I can't speak to the relative merits of WinBind versus LDAP.

The "bypass" functionality that you're looking for re: anonymous users having access to some sites is documented in the Squid wiki. I haven't tried the configuration example there on a real Squid instance. After reading the first sample configuration I'd say that it should work "as advertised". It looks like the trick (since Squid parses ACLs top-to-bottom, bailing out after the first ACL it finds that satisfies the request) is to put the anonymous access ACLs before any ACLs that depend on authentication.

Ldap – SquidGuard and Active Directory groups

Solved.

Assuming the following:

- Domain name: "domain.com"
- Group name: "Internet Users"
- User name: "UserName"
- Path to group: "domain.com\OU1\OU2\Internet Users"

The query for checking if the user is member of that group would be:

(&(memberOf=CN=Group Name,OU=OU2,OU=OU1,DC=domain,DC=com)(SAMAccountName=UserName))

So you would have to add the following to squidGuard.conf to identify the members of that group ("%s" is squidGuard.conf's placeholder for "the client's user name"):

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet Users,OU=OU2,OU=OU1,DC=domain,DC=com))
}

Caveat: it will not work if written as above, giving you a laconic "syntax error" message; this is because (part of) the statement is treated like a URL, so you have to escape special characters such as commas and whitespaces; the correct form would thus be this one:

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Also, in order to avoid problems with Active Directory referrals (sometimes a DC will just redirect you to another one, even if you are on the same domain it manages), it might be useful to query a global catalog:

src Internet_Users {
    ldapusersearch  ldap://gc.domain.com:3268/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Best Answer

Related Solutions

Squid Proxy – Active Directory Authentication

Ldap – SquidGuard and Active Directory groups

Related Topic