Differences between revisions 1 and 2
Revision 1 as of 2006-03-19 23:40:03
Size: 2188
Editor: ?Gavin McCullagh
Comment: First creation, mostly copying in an old mailing list entry.
Revision 2 as of 2006-03-23 10:43:54
Size: 2250
Comment: Restructuring in SubTopics
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## page was renamed from DebianEdu/Squid LDAP Authentication

Brief instructions on how to get Squid to authenticate against your Debian-Edu LDAP database. This will get Squid (the web proxy server) to prompt users for the username and password they have in the skolelinux/debian-edu LDAP database.

In /etc/squid/squid.conf:

1. Set up general authentication of users via ldap_auth.

{{{# TAG: auth_param auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap auth_param basic children 30 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 1 hours}}}

2. Now that you can authenticate the users, tell it how to check that authenticated users are in a chosen group using squid_ldap_group.

{{{# TAG: external_acl_type external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -ZZ -b "ou=Group,dc=skole,dc=skolelinux,dc=no" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=People,dc=skole,dc=skolelinux,dc=no" -F uid="%s" ldap}}}

3. Create an acl (access control list) requiring first authentication and then the group check. The word "teachers" corresponds to a unix group and several can be placed here.

{{{# TAG: acl acl password proxy_auth REQUIRED acl password_group external ldap_group teachers}}}

4. Allow that acl users http access and remove the allow to schoolnet and ltspnet

{{{# TAG: http_access #http_access allow schoolnet #http_access allow ltspnet http_access allow password_group}}}

5. Restart squid.

A good way to debug this process is to run the two external tools on the command line and make sure they work. You run the command and type in parameters on the next line. If it replies OK you're good, if you get ERR or nothing at all things are not working. eg

gavinm@tjener > /usr/lib/squid/ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap gavinm <mypassword> OK

gavinm@tjener > /usr/lib/squid/squid_ldap_group -ZZ -b "ou=Group,dc=skole,dc=skolelinux,dc=no" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=People,dc=skole,dc=skolelinux,dc=no" -F uid="%s" ldap gavinm teachers OK