LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
LinkBack Search this Thread
Old 08-12-2004, 02:03 PM   #1
redmat
LQ Newbie
 
Registered: Aug 2004
Posts: 1

Rep: Reputation: 0
Squid PAM authentication and LDAP


Greetings Folks,

This is my first ever post in any linux related forums. I was not at all a linux guy but due to some circumstances at work (sys admin being not available), I am faced with a problem that require me to seek expert help.

We have a dedicated squid proxy server running on SuSe Linux 8.0. Now according to my limited knowledge this machine is completely different from the file server (running SuSe as well) we have. Therefore, the network users (those having accounts to logon to the network) are different than those who have accounts to access the internet through proxy. Basically, any user who has been added to the squid database is allowed to access the internet.

The problem I am faced with is that we are going to replace the Squid box with a hardware based proxy/cache engine solution which doesn't have any built-in authentication mechanism. While in place this new box will have to pass the authentication requests to some kind of an existing authentication server. Now with my extremely limited knowledge I was able to find that the squid is configured to use PAM authentication mechanism. While on the other hand, the new box supports RADIUS, TACACS+, LDAP, and NTLM. In an effort to dig deeper into this I found out that RADIUS and TACACS+ would require a completely different setup with some new hardware while NTLM is a non-linux solution. LDAP is the only choice I am left with that seem to be the feasible solution (due to limited time and resources) by making some changes to the existing squid proxy SuSe box (and disabling the squid proxy services on the existing box after the installation of new proxy device, making the existing box to serve as the authentication server).

After reading about LDAP, it came to my knowledge that it is a directory server technology that allows the username and passwords to be stored on a centralized location. AND that it uses PAM for user authentication. Now thats what confuses me. LDAP also uses PAM and running Squid is also using PAM. With default SuSe installation on the existing proxy server, I don't think there is LDAP installed and configured to use PAM to authenticate internet users. I do know that, whenever a new user required access to the internet, she was added to the squid's user database and not to any LDAP database.

Can anyone of you fine folks here help me verify that if there is any LDAP service running on the existing proxy server. And IF LDAP is NOT installed then what would be the best way to achieve the solution to this problem? How can I install LDAP on the existing proxy server and make the existing squid user database integrate with it? The LDAP parameters required by the new proxy device are cn=, dc=, ou=, and Search group. What would be the best possible way to make the existing proxy box serve as the authentication server (and not proxy) with LDAP, for the new proxy device.

Any help in this reqard is highly appreciated.

Thank you for your cooperation.

Kind Regards,
-redmat

P.S. Moderators/Admins, if there is a need for this post to be moved to any other appropriate forum (Linux Software?), please kindly do so. I posted it in the Newbie forum keeping in mind my level of knowledge. Thank you!

Last edited by redmat; 08-12-2004 at 02:07 PM.
 
Old 09-03-2004, 07:22 PM   #2
zatriz
Member
 
Registered: Aug 2003
Location: Seattle, Wa
Distribution: Fedora,Trustix,Debian
Posts: 290

Rep: Reputation: 30
What you are asking for is a very complicated setup.
squid can authnicate to a lot of different things including pam and ldap
im thinking that the machine that squid is running on is using ncsa htpasswd type authenication cause if it was using pam you could just use the same passwd file from the other machine instead of keeping two seperate user lists.
but i cant be sure.

When a user authenicates linux has a set of files that tells it what to authenicate by, first it will ask pam if that user name exist there then it will go to ldap and authenicate there.
there is a package called openldap that you can install and configure that to have the hardware firewall authenicate to.
But openldap is not very simple nor is it straightforward.
go www.linsec.ca and there are tutorials on how to setup openldap for a domain controller you would have to do the same thing and then addusers with one of the gui clients available like gq or something like it.
And then have that hardware firewall authenicate against it.
I have never used suse but i hear that suse has a very good ldap configuration tool so you might want to look into that.

in fact i think if i were you i'd go with radius rather than ldap.
there is a program called freeradius that can auth using pam so no need to create additional users.

Last edited by zatriz; 09-03-2004 at 07:37 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid With PAM authentication paul_mat Linux - Networking 2 03-15-2011 12:47 PM
pam + ldap client paul_mat Linux - Networking 0 10-25-2005 10:55 PM
pam ldap limit authentication hassan2 Suse/Novell 0 08-01-2005 06:03 PM
pam and ldap authentication problem abrb220 Linux - Networking 2 07-31-2005 03:49 PM
Samba, PAM and LDAP Linh Linux - Networking 0 05-09-2003 10:07 AM


All times are GMT -5. The time now is 02:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration