Brief instructions on how to get Squid to authenticate against your Debian-Edu LDAP database. This will get Squid (the web proxy server) to prompt users for the username and password they have in the skolelinux/debian-edu LDAP database.

In /etc/squid/conf.d/debian-edu-ldap-auth.conf:

1. Set up general authentication of users via ldap_auth.

auth_param basic program /usr/lib/squid/basic_ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap
auth_param basic children 30
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 1 hours

2. Now that you can authenticate the users, tell it how to check that authenticated users are in a chosen group using squid_ldap_group.

external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -ZZ -b "ou=Group,dc=skole,dc=skolelinux,dc=no" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=People,dc=skole,dc=skolelinux,dc=no" -F uid="%s" ldap

3. Create an acl (access control list) requiring first authentication and then the group check. The word "teachers" corresponds to a unix group and several can be placed here.

acl password proxy_auth REQUIRED
acl password_group external ldap_group teachers

4. Allow that acl users http access and remove the allow to schoolnet and ltspnet

#http_access allow schoolnet
#http_access allow ltspnet
http_access allow password_group

4b. As needed, comment out:

#acl localnet src    # RFC1918 possible internal network

#acl localnet src # RFC1918 possible internal network

#acl localnet src        # RFC1918 possible internal network

If you want to allow DHCP (such as through wireless access) then add:

acl localnet src

If not, then you also have to comment out the corresponding:

#http_access allow localnet

5. Restart squid.

A good way to debug this process is to run the two external tools on the command line and make sure they work. You run the command and type in parameters on the next line. If it replies OK you're good, if you get ERR or nothing at all things are not working. eg

gavinm@tjener > /usr/lib/squid/basic_ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap
gavinm <mypassword>

gavinm@tjener > /usr/lib/squid/ext_ldap_group_acl -ZZ -b "ou=Group,dc=skole,dc=skolelinux,dc=no" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=People,dc=skole,dc=skolelinux,dc=no" -F uid="%s" ldap
gavinm teachers