Ubuntu – Squid + windows active directory Authentication + Dansguardian

active-directorydansguardiansquidUbuntu

I have to configure squid authentication + dansguardian web filtering on ubuntu server. Can anyone please tell me how to do it.

I can configure squid transparent mode & dansguardian. But I do not know how to configure squid authentication and making users to get authenticated to browse.

The authentication is to be done with microsoft windows active directory. Can anyone please help me.

Best Answer

This depends on what you're authenticating against. For example, I once got squid to authenticate against a Mac OS X Open Directory server (effectively LDAP).

A few tips to get you started:

Transparent proxying and authenticated proxying are mutually exclusive. You can have either one, but not both.
Look for squid.conf on your Ubuntu server. That is what you'll have to edit in order to make the authentication lookups against your LDAP (or NTLM or ...) server.
Figure out how to get your proxy's IP (or FQDN) and port into your workstations. If there are very few, you can manually configure them. Windows and Mac OS X can be configured with Group Policies and Workgroup Manager (a.k.a. MCX).
Once Squid has authentication, it will pass that through DansGuardian. No additional configuration in DansGuardian should be necessary.
Check this web page for lots of details: http://wiki.squid-cache.org/Features/Authentication

Hope that helps!

Related Solutions

Squid Proxy – Active Directory Authentication

I'm using Squid as a non-transparent proxy to authenticate (and database) user access to web sites in production and it works very well.

I'm running it on Win32, so the integration with Active Directory has been pretty painless. As such, I can't speak to the relative merits of WinBind versus LDAP.

The "bypass" functionality that you're looking for re: anonymous users having access to some sites is documented in the Squid wiki. I haven't tried the configuration example there on a real Squid instance. After reading the first sample configuration I'd say that it should work "as advertised". It looks like the trick (since Squid parses ACLs top-to-bottom, bailing out after the first ACL it finds that satisfies the request) is to put the anonymous access ACLs before any ACLs that depend on authentication.

Ldap – SquidGuard and Active Directory groups

Solved.

Assuming the following:

- Domain name: "domain.com"
- Group name: "Internet Users"
- User name: "UserName"
- Path to group: "domain.com\OU1\OU2\Internet Users"

The query for checking if the user is member of that group would be:

(&(memberOf=CN=Group Name,OU=OU2,OU=OU1,DC=domain,DC=com)(SAMAccountName=UserName))

So you would have to add the following to squidGuard.conf to identify the members of that group ("%s" is squidGuard.conf's placeholder for "the client's user name"):

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet Users,OU=OU2,OU=OU1,DC=domain,DC=com))
}

Caveat: it will not work if written as above, giving you a laconic "syntax error" message; this is because (part of) the statement is treated like a URL, so you have to escape special characters such as commas and whitespaces; the correct form would thus be this one:

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Also, in order to avoid problems with Active Directory referrals (sometimes a DC will just redirect you to another one, even if you are on the same domain it manages), it might be useful to query a global catalog:

src Internet_Users {
    ldapusersearch  ldap://gc.domain.com:3268/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Best Answer

Related Solutions

Squid Proxy – Active Directory Authentication

Ldap – SquidGuard and Active Directory groups

Related Topic