LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 04-22-2008, 05:27 AM   #1
insurin
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Rep: Reputation: 15
squid - installation & requirements


I want to have squid to cache web content and log internet activity by active directory username (Windows 2003). I do not want users to have to enter their user credentials everytime they fire up Internet Explorer, I just want squid to know the usernmame without having to prompt them. (is this called seemless). I have read that the linux box will need to be added to the Windows domain for this to take place. So from what I can see, I will need to install Squid and also join the Linux box to the domain

I have read loads so far from google but to be honest I am struggling.

I am using ubuntu server 7.10

I have installed ldap tools and had success with ldapsearch. I have pulled info about a user so I can confirm that a can communicate with AD from ubuntu.

now I need to get communication working from 'ldap-auth' as I have not had any sucess with this so far.
to start with, just to get the program working, I have to type the full path in to get ldap_auth working, i.e. even if my current working directory is /usr/lib/squid (where ldap_auth resides), I stilll have to type /usr/lib/squid/ldap_auth <parameters> or ./ldap_auth otherwise I get command not found.

I must be typing in the wrong command as it just hangs upon hitting enter.

lets say as an example

username = administrator
sits in the default contatiner of 'users' within AD
AD server = 192.168.1.1
domain = mycompany.co.uk

I run the followng

./ldap_auth -b dc=mycompany,dc=co,dc=uk -D cn=administrator,cn=users,dc=mycompany,dc=co,dc=uk -w adminpassword -H ldap://192.168.1.1 -f sAMAccountName=administrator

I have tried other variants after -f switch, i.e. uid=%s etc.

I have seen different guides on the web but would gladly take help off someone from this forum. I am at my PC all the time 9-5 uk time so can be ready to await instructions.
 
Old 04-22-2008, 08:10 AM   #2
insurin
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Original Poster
Rep: Reputation: 15
update

I have had success with this

./ldap_auth -R -b dc=mycompany,dc=co,dc=uk -D cn=administrator,cn=users,dc=mycompany,dc=co,dc=uk -w adminpassword -H 192.168.1.1 -f sAMAccountName=administrator

after typing this in, the command hangs, from here I type

administrator adminpassword

then I get OK

e.g.

./ldap_auth -R -b dc=mycompany,dc=co,dc=uk -D cn=administrator,cn=users,dc=mycompany,dc=co,dc=uk -w adminpassword -H 192.168.1.1 -f sAMAccountName=administrator
administrator adminpassword
OK

So I assume that this is working, however reading the documentation there was no mention of having to enter the username and password after the command so not sure what it going on there.

Anyway the next step for me is

auth_param basic program /usr/lib/squid/ldap_auth -R -b dc=mycompany,dc=co,dc=uk -D cn=administrator,cn=users,dc=mycompany,dc=co,dc=uk -w adminpassword -H 192.168.1.1 -f sAMAccountName=administrator
auth_param basic program /usr/lib/squid/
auth_param basic children 5
auth_param basic realm MyCompany
auth_param basic credentialsttl 5 minutes

what else do I need to edit in squid.conf to tell squid that users must authenticate at IE.

Last edited by insurin; 04-22-2008 at 08:12 AM.
 
Old 04-22-2008, 08:24 AM   #3
ksri07091983
Member
 
Registered: Nov 2007
Location: Chennai,TamilNadu,India
Distribution: RedHat,SuSE
Posts: 65

Rep: Reputation: 15
Hey,

for that so called seemless proxy, i had used samba with krb5. try the following..

Maybe tough.. but this works for sure !!

Ofcourse.. eliminate the smart filter part...

You can eliminate samba compilation part if you have samba version greater than 3.0

SQUID With ADS authentication mini- HOWTO

Note : http://www.visolve.com/squid/squid30/contents.php ( squid all in one)
Pre-requisites
The following rpms should be installed on the machine where u r instaling squid
krb5-libs-1.3.4-12
krb5-workstation-1.3.4-12
krb5-server-1.3.4-12
pam_krb5-2.1.2-1
krb5-devel-1.3.4-12

These are step by step instructions for how to install and configure the Squid proxy server with transparent authentication for users in a Microsoft AD domain, optionally using SmartFilter from Secure Computing to support outbound web filtering.
This was tested in two Windows 2003 AD domains, one with SmartFilter, the other without SmartFilter.
These instructions use the following versions of these packages:
RedHat Linux 9.0 with various kernels from kernel.org MIT Kerberos 1.4 built from source
Samba 3.0.13 built from source
Squid 2.5.STABLE7 built from sourc
SmartFilter 4.01 from Secure Computing (optional)
Note that it may be easier to do all this starting with fc3 or fc4 as a
base. However,
as of this writing (April 5, 2005) SmartFilter only supports RH 9.0 and
does not yet
support any of the Fedora Core releases.
************************************************************************
*******************
First, install and test Squid without any authentication:
See the notes in Chapter 4 of the Smartfilter 4.01 Installation Guide
PDF file
for the recommended way to build Squid.
For Squid-specific documentation, see this URL:
http://squid-docs.sourceforge.net/latest/html/x354.html (This may be
obsolete)
cd /usr/local
mkdir squid
mkdir squid/src
Put a copy of squid-2.5.STABLE7.tar.gz into /usr/local/squid/src
cp squid-2.5.STABLE7.tar.bz2 /usr/local/squid/src
Now extract and build it.
cd /usr/local/squid/src
bunzip2 squid-2.5.STABLE7.tar.bz2
tar -xvf squid-2.5.STABLE7.tar
cd /usr/local/squid/src/squid-2.5.STABLE7
./configure --enable-async-io --prefix=/usr/local/squid
(Note that the --enable-async-io is not in the Smartfilter
documentation.)
(lots of output)
make all
make install
(lots more output and a few minutes)
Create a user and group called squid, make it the owner of all squid
stuff
/usr/sbin/useradd squid
cd /usr/local
chown -R squid squid
chgrp -R squid squid
Now edit the squid.conf file
********* From the Squid documentation but not Smartfilter
/usr/local/squid/etc/squid.conf common parameters:
http_port leave as default
cache_mgr email settings
cache_effective_user squid
cache_effective_group squid
ftp_user Leave alone for now
visible_hostname Set this to the IP hostname
Search for "INSERT YOUR OWN RULE" and put in an appropriate ACL entry
for the internal network, like this:
# Exampe rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl greg_network src 10.10.10.0/24 127.0.0.1/32
http_access allow greg_network
# And finally deny all other access to this proxy
http_access deny all
To Run Squid in a transparent mode, enable the following directives in
Squid.conf.
(See http://squid.visolve.com/white_papers/trans_caching.htm)
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
***************** Now from SmartFilter documentation
Make sure of these parameters:
cache_mem 8MB
cache_dir /usr/local/squid/cache 100 16 256
Change http_access deny all to http_access allow all. (May not need
this!)
Uncomment the cache_effective_user "username" statement and change
"username to "squid" to match the user/group created above.
Uncomment the "cache_effective_group" statement and use "squid" as the
group name.
************ More settings
Squid won't start unless you set this setting:
visible_hostname host.domain
Now run squid for the first time
/usr/local/squid/sbin/squid -z (To create swap directories)
/usr/local/squid/sbin/squid -N -d 1 (To run for the first time at the
terminal window.)
-N means No daemon mode
-d 1 means debug level 1
(Note that Squid 2.5.n uses sbin instead of bin for the squid
executable.)
Squid will be running in a terminal window.
Startup another terminal window and do this:
telnet localhost 3128
get http://www.infrasupportetc.com HTTP/1.0 (Press "Enter"
twice)
HTML should come back from that website.
If any errors come back, shut down Squid, like this:
/usr/local/squid/sbin/squid -k shutdown
Fix the errors and repeat. The problem is likely a parameter in
squid.conf.
Startup squid for production like this: /usr/local/squid/sbin/squid
Shutdown squid like this:
/usr/local/squid/sbin/squid -k shutdown
************************************************************************
****************
Now that Squid works, integrate the optional SmartFilter plugin for
outbound web filtering
Download the SmartFilter binary and save a copy in /home/gregs or
someplace convenient.
cd /usr/local/squid/src
cp /home/gregs/sf401_redhat_squid.bin ./
chmod 700 sf401_redhat_squid.bin
./sf401_redhat_squid.bin
See sf401install_guide.pdf for detailed installation instructions.
After running the install program, rebuild squid, like this:
cd /usr/local/squid/src/squid-2.5.STABLE7
./configure --enable-smartfilter
make clean
make all
make install
Also add the following lines to squid.conf:
smartfilter_state on
smartfilter_config /usr/local/squid/etc/config.txt
For LDAP support, see the SmartFilter Installation Guide. Add these
additional lines to squid.conf (Note, no line continuation characters):
smartfilter_userinfo_program /usr/local/squid/libexec/sf_userinfo -f
/usr/local/squid/etc/config.txt
smartfilter_userinfo_children 5
Now start squid like this:
/usr/local/squid/sbin/squid
Also, be sure to start the sfagent program, like this:
/usr/local/squid/etc/sfagent
You need this program running so the Admin Server can communicate with
it.
This is not documented in any of the SmartFilter documentation.
Put the reference to these programs in rc.local or other convenient
startup location.
Now install the SmartFilter admin server and console on a Windows
System. Register the
appropriate serial number on the Secure Computing website and set up
regular control list
downloads. See the SmartFilter Installation Guide for details.
************************************************************************
****************
Now the fun part. Time to integrate Samba and set up AD authentication
For Squid authentication with an Active Directory domain, we need Samba,
set
up with Kerberos.
Redhat Linux 9.0 ships with Kerberos version 5, revision 1.2.7-10.
Unfortunately,
we need at least rev 1.3 to work with Windows 2003. See this URL for a
discussion:
http://lists.samba.org/archive/samba...ly/090137.html
The fc3 RPM directory has krb5 rev 1.3 RPMs. Unfortunately, several
dozen
components in RedHat 9.0 depend on the 1.2.7 RPMs installed, especially
the Kerberos libraries. So the krb5 rev 1.3 RPMs are worthless in this
case.
We need to build a copy of Kerberos from source and put it in an
alternate
directory. Then we'll build a copy of Samba using this Kerberos build.
We get the latest and greatest Kerberos from MIT.
For the MIT Kerberos download, see:
http://web.mit.edu/kerberos/www/
FOr release notes, see:
http://web.mit.edu/kerberos/www/krb5-1.4/README-1.4.txt
FOr the Installation Guide see:
http://web.mit.edu/kerberos/www/krb5...-install.html#
Building%20Kerberos%20V5
Download and save a copy of krb5-1.4-signed.tar from the MIT Kerberos
website.
Put a copy of the download into /usr/src
cp krb5-1.4-signed.tar /usr/src
Do this to unpack the download.
cd /usr/src
tar -xvf krb5-1.4-signed.tar
This extracts these two files:
krb5-1.4.tar.gz - the actual software
krb5-1.4.tar.gz.asc - a signature
Now do this to unpack the Kerberos software:
tar -xvzf krb5-1.4.tar.gz
Now build it. By default, Kerberos will install the package's files
rooted
at `/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. (Pasted
from
the Installation Guide). We will need this later on when we build
Samba.
cd /usr/src/krb5-1.4
cd src
./configure
make
make install
Some notes:
Make sure /etc/hosts has the FQDN of this system in place, similar to
below:
[root@squidtest src]# more /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 squidtest.infrasupportetc.com
localhost.localdomain localhost
10.10.10.2 squidtest.infrasupportetc.com
Test the build like this:
cd /usr/src/krb5-1.4/src
make check
Fix any problems it calls out and keep running until it finishes
cleanly.
************************************************************************
***************************
Now to build Samba from source to take advantage of the newest Kerberos
Download samba-3.0.13.tar.gz from here:
http://us4.samba.org/samba/
Put the saveset in the source directory:
cp samba-3.0.13.tar.gz /usr/src
Unpack it
cd /usr/src
tar -xvzf samba-3.0.13.tar.gz
Now build it with the Kerberos flavor installed earlier
cd /usr/src/samba-3.0.13/source
./configure --with-ads --with-krb5=/usr/local
make
make install
************************************************************************
**************************
Configure Samba to work with Kerberos
Set up smb.conf and krb5.conf.
(The paths are /usr/local/samba/lib/smb.conf and /etc/krb5.conf.)
(Extracted from the email Chris Cinnamo from Secure Computing sent.)
Edit /usr/local/samba/lib/smb.conf
----------------------------------
smb.conf
realm = <YOUR DOMAIN> ex. support.com
workgroup = <DOMAIN> ex. support
security = ADS
encrypt passwords = yes
password server = 192.168.100.12
# idmap uid and idmap gid are aliases for
# winbind uid and winbid gid, respectively
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
[test]
comment = Samba functionality test directory
path = /home/ryan/
read only = no
browsable = yes
writable = yes
guest ok = yes
valid users = @SUPPORT\"Domain Users"
------------------------------------
* Note : to start the krb5kdc service , kadmin service should be started .. to start that service you need to created the kerberos database using the command 'kdb5_utils -s create '
/etc/krb5.conf should look like this:
(Note that Kerberos uses realms named the same as the AD domain name.
BUt --IMPORTANT-- the realm name must be in all UPPER CASE. So
infrasupportetc.com becomes INFRASUPPORTETC.COM)
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = INFRASUPPORTETC.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
INFRASUPPORTETC.COM = {
kdc = 10.10.10.100:88
admin_server = 10.10.10.100:749
default_domain = INFRASUPPORTETC.COM
}
[domain_realm]
.infrasupportetc.com = INFRASUPPORTETC.COM
infrasupportetc.com = INFRASUPPORTETC.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Add following entries in nssswitch.conf:
passwd: files winbind
group: files winbind
Samba uses a daemon called winbindd that handles the authentication
between Windows and Linux.
When a Windows system tries to look at a share on the Samba server, it
passes credentials.
The Samba server needs to know where to look to validate the
credentials. The above entries
tell the Samba server to first check the local passwd file and if not
there, then have Winbindd
look back in the Windows AD. It turns out, there is more to the story.
In order for the Samba
server to have a clue how to tell winbindd what to do, we need to put
some Samba libraries in
the right place. As of 4/3/2005, the documentation in the
Samba-HOWTO-Collection is wrong.
Use this script provided by Doug VanLeuven to set up the libraries:
#!/bin/sh
# Save this script in /home/gregs or someplace convenient.
# cd /usr/src/samba-3.0.13/source and run this script from there.
echo "Copying nsswitch modules to system library"
CWD=`pwd`
cd /lib
rm -f libnss_winbind.so libnss_winbind.so.1 libnss_winbind.so.2
rm -f libnss_wins.so libnss_wins.so.1 libnss_wins.so.2
cd /usr/lib
rm -f libnss_winbind.so libnss_wins.so
cd $CWD
cp -f nsswitch/libnss_winbind.so /lib
cp -f nsswitch/libnss_wins.so /lib
cd /lib
ln -sf libnss_winbind.so libnss_winbind.so.1
ln -sf libnss_winbind.so libnss_winbind.so.2
ln -sf libnss_wins.so libnss_wins.so.1
ln -sf libnss_wins.so libnss_wins.so.2
cd /usr/lib
ln -sf ../../lib/libnss_winbind.so libnss_winbind.so
ln -sf ../../lib/libnss_wins.so libnss_wins.so
/sbin/ldconfig
Here is Doug's explanation for this script:
> I made this script to update the library after each samba build. Run
it from the samba
> source directory. Should be more robust about the source dir, but I'm
the only one who
> uses it. Remove the libnss_wins.so lines if you don't use it.
Probably don't need
> the .1 links, but I was shotgunning in the beginning and never went
back. The version
> number X is 1 for glibc 2.0 and 2 for glibc 2.1. I have some old
stuff.
We need a place for log files. The smb.conf template points here:
mkdir /var/log/samba
(Also look in the already existing directory, /usr/local/samba/var for
logfiles.)
Since we are building from source, we need a script to fire up the
daemons, like this:
#!/bin/sh
/usr/local/samba/sbin/nmbd
/usr/local/samba/sbin/smbd
/usr/local/samba/sbin/winbindd
Save this script someplace convenient, perhaps /firewall-scripts.
Now join this system to the Win2003 domain. Here is an extract:
[root@infra-fw gregs]# /usr/local/samba/bin/net ads join -S 10.10.10.100
-U administrator
administrator's password:
Using short domain name -- INFRASUPPORTETC
Joined 'SQUIDTEST' to realm 'INFRASUPPORTETC.COM'
Here are a few useful commands for testing:
kinit username@DOMAIN.SUFFIX Use Kerberos to get a ticket (prompts
for password)
klist -e Lists cached kerberos tickets
/usr/local/samba/bin/wbinfo -t Check the trust relationship
/usr/local/samba/bin/wbinfo -g Enumerate groups in the AD domain
/usr/local/samba/bin/wbinfo -u Enumerate users in the AD domain
/usr/local/samba/bin/testparm Checks the syntax for smb.conf
/usr/local/samba/bin/testparm -sv Shows all the Samba parameters,
including default options.
The following examples will be useful later. Squid will use this Samba
program as an
authentication helper.
[root@squidtest etc]# /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic
infrasupportetc\username badpassword
ERR
infrasupportetc\username goodpassword
OK
The following also returns output, but testing from the keyboard has no
value:
/usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
You can also test the authentication helper like this:
/usr/bin/ntlm_auth --username=[username]
[root@Stylmark-fw etc]# /usr/local/samba/bin/ntlm_auth --username=gregs
password:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
[root@Stylmark-fw etc]#
[root@Stylmark-fw etc]#
[root@Stylmark-fw etc]# /usr/local/samba/bin/ntlm_auth --username=gregs
password:
NT_STATUS_OK: Success (0x0)
************************************************************************
***************************
Now rebuild Squid
(The following modified from the explanation from Secure Computing Tech
Support)
cd /usr/local/squid/src/squid-2.5.STABLE7
./configure \
--enable-smartfilter \
--enable-async-io \
--enable-linux-netfilter \
--enable-underscores \
--prefix=/usr/local/squid \
--enable-auth="ntlm,basic" \
--enable-external-acl-helpers="wbinfo_group" \
--enable-delay-pools \
--with-samba-sources=/usr/src/samba-3.0.13
Note that the wbinfo_group switch doesn't seem to be important. These
switches:
# --enable-external-acl-helpers="winbind_group" \
# --enable-ntlm-auth-helpers="winbind" \
# --enable-basic-auth-helpers="winbind" \
cause the "make all" command below to blow up.
For Samba 3.n, Squid will use the authentication helpers with Samba. No
need to build any Squid
authentication helpers. In fact, the squid FAQ says it won't work with
Samba 3.0 and tests with
the above configure switches prove that. See:
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#winbind
Finish rebuilding squid like this:
make clean
make all
make install
Edit /usr/local/squid/etc/squid.conf and search for this string:
TAG: auth_param
Skip down through the explanatory comments and put in the following
changes in this order:
auth_param ntlm program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
Note that the template squid.conf file has several references to
auth_param basic above the
auth_param ntlm lines. Comment these out, so that the above lines are
what are really in
squid.conf. I ran into nasty problems when I forgot to comment out some
auth_param basic
lines above the auth_param ntlm lines.
Here is an explanation from Henrik Nordstrom for why squid.conf needs
these lines in this order:
> You need both sections to support all browsers. Not all browsers
support NTLM.
>
> You need them in specific order (ntlm first) because MSIE is broken
and always selects the
> first advertised authentication scheme even if the standard clearly
says it should select
> the strongest authentication scheme.
Now search for:
TAG: http_access
Find "INSERT YOUR OWN RULE(S) HERE" and put in this acl entry
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
Comment out any acls providing access to anyone in the local network.
The above ACL forces
people to authenticate.
Be sure this section ends with a line that looks like this:
http_access deny all
Save your edits.
Change group ownership for the Samba winbindd files:
chgrp squid /usr/local/samba/var/locks/winbindd_privileged -R
change file ownership on squid files:
cd /usr/local/squid
chown squid.squid * -R
Create cache dirs and then start squid:
su squid
/usr/local/squid/sbin/squid -z
killall -name squid -9
/usr/local/squid/sbin/squid
-----------------------------------
from a pc logged into AD you should now be able to point IE to your
squid proxy
and NOT be prompted for username and password
 
Old 04-22-2008, 08:57 AM   #4
insurin
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Original Poster
Rep: Reputation: 15
thanks for the reply.

I already have ubuntu 7.10 server installed with squid also installed. I don't think I have the energy to start from scratch, and start installing rpms as I have now been converted to apt-get.

Are you confirming that I will need to make the linux box part of the active directory domain by using Samba and pam auth.

Just for now, I am not too fussed about users needing to enter their credentials into IE. I will leave that until last.

I am browsing the web froma client PC via squid. Squid is logging activity but not by username.

I just need to know what else needs editing in squid.conf as well as what I have already mentioned.
 
Old 04-22-2008, 09:05 AM   #5
ksri07091983
Member
 
Registered: Nov 2007
Location: Chennai,TamilNadu,India
Distribution: RedHat,SuSE
Posts: 65

Rep: Reputation: 15
Hi,

If u are not very much concerned about the seemless proxy, u can go for squid_ldap_auth to authenticate to Active Directory.. and for this to happen in Active directory u have to enable anonymous ldap binds.

other wise u wil have to hardcore Administrator's password in the 'squid_ldap_auth' statement.

I have enabled anonymous bind in my domain and i use the following line in my squid.conf

auth_param basic program /usr/sbin/squid_ldap_auth -R -b "dc=mydomain,dc=mydomain,dc=com" -f sAMAccountName=%s -h <myADSip>

if u havent enabled anonymousbind, u may have to use the following

/usr/sbin/squid_ldap_auth -R -b "dc=mydomain,dc=mydomain,dc=com" -D <admindn> -w <admin password> -f sAMAccountName=%s -h <myADSip>

Hope this will help u


thanks

Sridhar
 
Old 04-22-2008, 09:11 AM   #6
insurin
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Original Poster
Rep: Reputation: 15
I must be getting confused with what seemless proxy actually means.

Anyway I am using the secomd method you have proposed as I do not have anon ldap binds allowed

my question is, what else do I need to edit in squid.conf along with the following

auth_param basic program /usr/lib/squid/ldap_auth -R -b dc=mycompany,dc=co,dc=uk -D cn=administrator,cn=users,dc=mycompany,dc=co,dc=uk -w adminpassword -H 192.168.1.1 -f sAMAccountName=administrator
auth_param basic program /usr/lib/squid/
auth_param basic children 5
auth_param basic realm MyCompany
auth_param basic credentialsttl 5 minutes

i have read stuff like acl user_acl ldap_auth REQUIRED
needs to be entered but I am not sure.

cheers
 
Old 04-22-2008, 09:25 AM   #7
ksri07091983
Member
 
Registered: Nov 2007
Location: Chennai,TamilNadu,India
Distribution: RedHat,SuSE
Posts: 65

Rep: Reputation: 15
Hi,
Once u r done with auth param section, u wil hav to configure acces controls section.. something as below:

acl authuser proxy_auth REQUIRED
#the above line says that for every connection that was made under the acl 'authuser' an authentication has to be succeeded

then in the http_access section

http_access allow authuser
#the above line says once the connection got authenticated with the authentication scheme mentioned in auth_param section.. allow that connection to go ahead and connect to internet.

else.. the following line wil be countered.. which wil deny the request (but make sure that the following wil be last line in the http_access section i.e., below the line http_access allow authuser)

http_access deny all


After editing squid.conf with above modifications, reconfigure/restart squid and run the show!!

Thanks

Sridhar
 
Old 04-22-2008, 09:59 AM   #8
insurin
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Original Poster
Rep: Reputation: 15
just going to try your suggestion now, ill report back when done
 
Old 04-22-2008, 10:10 AM   #9
insurin
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Original Poster
Rep: Reputation: 15
update:

good news, I put your settings in and I got prompted for username and password. I tried putting my details in and it would not accept so I tried the administrator details as in what is in

auth_param basic program /usr/lib/squid/ldap_auth -R -b dc=mycompany,dc=co,dc=uk -D cn=administrator,cn=users,dc=mycompany,dc=co,dc=uk -w adminpassword -H 192.168.1.1 -f sAMAccountName=administrator


and it let me browse.

I then checked the logs and I could see my activity. This is great progress and much appreciated.

Where do I go so any user can be accepted when IE asks for username/password
 
Old 04-22-2008, 10:34 AM   #10
insurin
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Original Poster
Rep: Reputation: 15
ok, so I have changed my line from

auth_param basic program /usr/lib/squid/ldap_auth -R -b dc=mycompany,dc=co,dc=uk -D cn=administrator,cn=users,dc=mycompany,dc=co,dc=uk -w adminpassword -H 192.168.1.1 -f sAMAccountName=administrator

to

auth_param basic program /usr/lib/squid/ldap_auth -R -b dc=mycompany,dc=co,dc=uk -D cn=administrator,cn=users,dc=mycompany,dc=co,dc=uk -w adminpassword -H 192.168.1.1 -f sAMAccountName=%s

so I take it the %s has done something

to allow any user to browse.

The next step is to get rid of IE prompting for the username and password. Although IE can save details (remember my password) I would still like to eliminate the prompt

Am I now at the stage of where I need to install samba and join to the domain? This bit is a complete blur to me now. Lets say I have to install Samba and join the domain. Does this mean when users open IE, their credentials are automatically taken from the logon session and then are used to authenticate IE and log?

Last edited by insurin; 04-22-2008 at 10:35 AM.
 
Old 04-23-2008, 12:17 AM   #11
ksri07091983
Member
 
Registered: Nov 2007
Location: Chennai,TamilNadu,India
Distribution: RedHat,SuSE
Posts: 65

Rep: Reputation: 15
Hi,

using samba and authenticating with ADS and using squid_ldap_auth are two different methods. you can choose either of them. not bot at the same time.

the advantages in using samba & krb5 is that it directly takes the user info from login and so doesnt prompt the user to enter his credentials. But its a bit lengthy process to set it up.

whereas using squid_ldap_auth, its easier to setup, but i completely have no idea whether prompting username can be eliminated in this method.[upto my knowledge it can't be done].

If any expert out there can respond with a method to use squid_ldap_auth and without username being asked... that would sound so great...


Until then u can ask the users to "Remember Password" in the browser.

Thanks

Sridhar
 
Old 04-23-2008, 03:30 AM   #12
insurin
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Original Poster
Rep: Reputation: 15
ksri:

I will now go and research samba and krb5. Your help has been fantastic. Ill be back soon enough with more problems no doubt, seeing as its a lengthy process.

in a bit.

Last edited by insurin; 04-23-2008 at 05:09 AM.
 
Old 04-23-2008, 05:21 AM   #13
ksri07091983
Member
 
Registered: Nov 2007
Location: Chennai,TamilNadu,India
Distribution: RedHat,SuSE
Posts: 65

Rep: Reputation: 15
Hi insurin,

All the best for your journey to ADS through samba & krb5 !!

Sridhar
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
linux installation - h/w requirements Swapnil82 Linux - Hardware 2 03-25-2007 01:42 PM
Squid requirements GraemeK Linux - Networking 0 05-28-2004 05:14 AM
gdesklets installation requirements NRHBasher Linux - Newbie 3 05-06-2004 03:19 PM
installation requirements? alaios Debian 5 04-16-2004 06:23 PM
Squid + requirements jeempc Linux - Networking 2 08-30-2003 06:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration