Ldap – Open Source proxy authentication using multiple LDAP

ldapsquidweb-proxy

I am working on setting up new web proxies at my job. We were initialy planning on buying Blue Coat proxys but the economic downturn came along and we're not buying them anymore…

The great feature that these proxys had was that they offered the possibility to authenticate users against several LDAP proxies. For example, a certain subnet of users authenticate against a specific LDAP serve while another subnet of users authenticate against another LDAP server.

Is this possible using open source software such as Squid ? I really like Pfsense because the interface is really simple and pretty, would it be possible to do such thing with it ?

Thank you in advance for your help,

Antoine

Best Answer

You cold make Squid authenticate against a single OpenLDAP server acting as a proxy for several backend directories. From slapd-meta(5):

NAME slapd-meta - metadirectory backend

SYNOPSIS /etc/ldap/slapd.conf

DESCRIPTION The meta backend to slapd(8) performs basic LDAP proxying with respect to a set of remote LDAP servers, called "targets". The information contained in these servers can be presented as belonging to a single Directory Information Tree (DIT).

This will work even if the DN hierarchies overlay among both groups by writing a few massaging rules -- I'm guessing that is the case because you would be using aliasing and delegation instead.

In any case I believe it is healthy that users are allowed to authenticate against the unified directory because their identity remains the same regardless of the subnet they happen to find themselves into.

Related Solutions

Squid proxy authentication – most painless way

I assume you are using an Active Directory server. We have done something similar and the easiest way was to use the ntlm_auth helper like this (part of my squid.conf):

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

You will have to install Samba and join your Windows domain. Your smb.conf will have to use these settings:

security = ADS
realm = your-dns-domain
password server = your-active-directory-server
winbind enum groups = yes
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes

I believe it was also necessary to alter the /etc/krb5.conf:

[libdefaults]
default_realm = your-dns-domain

[realms]
your-dns-domain = {
kdc = your-ad-server
}

Then you should be able to join your Windows domain:

net rpc join -S PDC -U Administrator

In the end you should have a setup that uses single-sign login from Windows. Both the Internet Explorer (in case you should seriously use it) as well as Firefox know how to send the authentication credentials.

For applications that don't know NTLM you may need to add a fallback to basic authentication, too. I haven't tested that, yet.

Links:

LDAP Authentication for multiple AD Domains

Well, this link may explain it: http://blogs.msdn.com/anthonw/archive/2006/08/02/686041.aspx

Basically, the connecting computer (workstation) needs to be able to see the AD DC server on all the domains it plans to connect to; but the connected computer (server) does not need to be able to see the other AD DC server for the computers which connect to it.

So in practice, it may require you to think of where users (or applications) are connecting from and make those domains on a "higher privilege" to see those DC servers.

However, if you use ONLY NTLM type authentication, then only the DCs need to see each other and authentication will work fine. Though to my knowledge, LDAP queries should suffice if it connects to a Global Catalog server.

Best Answer

Related Solutions

Squid proxy authentication – most painless way

LDAP Authentication for multiple AD Domains

Related Topic