Using both domain users and local users for Squid authentication

authenticationsquid

I'm working on a Squid proxy which needs to authenticate users against an Active Directory domain; this works fine, Samba was correctly set up and Squid authenticates users via ntlm_auth. Relevant lines in squid.conf:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
acl Authenticated proxy_auth REQUIRED
http_access allow Authenticated
http_access deny all

Now, I need a way to allow access to users which don't have a domain account. I know I could create an "internet user" account in the domain, but this would allow access, although limited, to domain resources (file shares, etc.); I need something that will allow only Internet access.

The ideal solution would be using a local account on the proxy server, either a Linux account or a Squid one; I know Squid supports this, but I'm unable to have it use both domain authentication and Squid/local authentication if domain auth is unsuccesful.

Can this be done? How?

Best Answer

Now, I need a way to allow access to users which don't have a domain account. Can this be done?

Yes.

How?

You can use an "external" ACL helper, which allows you to roll your own mechanism. See the Squid wiki "Multiple Source" entry for more details. This bit of pseudo-code lifted straight from there:

auth_param basic program /usr/local/bin/my-auth.pl
external_acl_type myAclType %SRC %LOGIN %{Proxy-Authorization} /usr/local/bin/my-acl.pl
acl MyAcl external myAclType
http_access allow MyAcl

... where my-auth.pl is a bit of perl script that performs the actual authentication, and returns OK or ERR as the result.

Related Solutions

Squid proxy authentication – most painless way

I assume you are using an Active Directory server. We have done something similar and the easiest way was to use the ntlm_auth helper like this (part of my squid.conf):

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

You will have to install Samba and join your Windows domain. Your smb.conf will have to use these settings:

security = ADS
realm = your-dns-domain
password server = your-active-directory-server
winbind enum groups = yes
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes

I believe it was also necessary to alter the /etc/krb5.conf:

[libdefaults]
default_realm = your-dns-domain

[realms]
your-dns-domain = {
kdc = your-ad-server
}

Then you should be able to join your Windows domain:

net rpc join -S PDC -U Administrator

In the end you should have a setup that uses single-sign login from Windows. Both the Internet Explorer (in case you should seriously use it) as well as Firefox know how to send the authentication credentials.

For applications that don't know NTLM you may need to add a fallback to basic authentication, too. I haven't tested that, yet.

Links:

Squid Proxy – Active Directory Authentication

I'm using Squid as a non-transparent proxy to authenticate (and database) user access to web sites in production and it works very well.

I'm running it on Win32, so the integration with Active Directory has been pretty painless. As such, I can't speak to the relative merits of WinBind versus LDAP.

The "bypass" functionality that you're looking for re: anonymous users having access to some sites is documented in the Squid wiki. I haven't tried the configuration example there on a real Squid instance. After reading the first sample configuration I'd say that it should work "as advertised". It looks like the trick (since Squid parses ACLs top-to-bottom, bailing out after the first ACL it finds that satisfies the request) is to put the anonymous access ACLs before any ACLs that depend on authentication.

Best Answer

Related Solutions

Squid proxy authentication – most painless way

Squid Proxy – Active Directory Authentication

Related Topic