Greetings Folks,

This is my first ever post in any linux related forums. I was not at all a linux guy but due to some circumstances at work (sys admin being not available), I am faced with a problem that require me to seek expert help.

We have a dedicated squid proxy server running on SuSe Linux 8.0. Now according to my limited knowledge this machine is completely different from the file server (running SuSe as well) we have. Therefore, the network users (those having accounts to logon to the network) are different than those who have accounts to access the internet through proxy. Basically, any user who has been added to the squid database is allowed to access the internet.

The problem I am faced with is that we are going to replace the Squid box with a hardware based proxy/cache engine solution which doesn't have any built-in authentication mechanism. While in place this new box will have to pass the authentication requests to some kind of an existing authentication server. Now with my extremely limited knowledge I was able to find that the squid is configured to use PAM authentication mechanism. While on the other hand, the new box supports RADIUS, TACACS+, LDAP, and NTLM. In an effort to dig deeper into this I found out that RADIUS and TACACS+ would require a completely different setup with some new hardware while NTLM is a non-linux solution. LDAP is the only choice I am left with that seem to be the feasible solution (due to limited time and resources) by making some changes to the existing squid proxy SuSe box (and disabling the squid proxy services on the existing box after the installation of new proxy device, making the existing box to serve as the authentication server).

After reading about LDAP, it came to my knowledge that it is a directory server technology that allows the username and passwords to be stored on a centralized location. AND that it uses PAM for user authentication. Now thats what confuses me. LDAP also uses PAM and running Squid is also using PAM. With default SuSe installation on the existing proxy server, I don't think there is LDAP installed and configured to use PAM to authenticate internet users. I do know that, whenever a new user required access to the internet, she was added to the squid's user database and not to any LDAP database.

Can anyone of you fine folks here help me verify that if there is any LDAP service running on the existing proxy server. And IF LDAP is NOT installed then what would be the best way to achieve the solution to this problem? How can I install LDAP on the existing proxy server and make the existing squid user database integrate with it? The LDAP parameters required by the new proxy device are cn=, dc=, ou=, and Search group. What would be the best possible way to make the existing proxy box serve as the authentication server (and not proxy) with LDAP, for the new proxy device.

Any help in this reqard is highly appreciated.

Thank you for your cooperation.

Kind Regards,
-redmat

P.S. Moderators/Admins, if there is a need for this post to be moved to any other appropriate forum (Linux Software?), please kindly do so. I posted it in the Newbie forum keeping in mind my level of knowledge. Thank you!

What you are asking for is a very complicated setup.
squid can authnicate to a lot of different things including pam and ldap
im thinking that the machine that squid is running on is using ncsa htpasswd type authenication cause if it was using pam you could just use the same passwd file from the other machine instead of keeping two seperate user lists.
but i cant be sure.

When a user authenicates linux has a set of files that tells it what to authenicate by, first it will ask pam if that user name exist there then it will go to ldap and authenicate there.
there is a package called openldap that you can install and configure that to have the hardware firewall authenicate to.
But openldap is not very simple nor is it straightforward.
go www.linsec.ca and there are tutorials on how to setup openldap for a domain controller you would have to do the same thing and then addusers with one of the gui clients available like gq or something like it.
And then have that hardware firewall authenicate against it.
I have never used suse but i hear that suse has a very good ldap configuration tool so you might want to look into that.

in fact i think if i were you i'd go with radius rather than ldap.
there is a program called freeradius that can auth using pam so no need to create additional users.