Differences between revisions 5 and 6
Revision 5 as of 2010-12-29 04:29:40
Size: 2696
Editor: ?DavidGoldstrom
Comment:
Revision 6 as of 2010-12-29 04:31:04
Size: 2708
Editor: ?DavidGoldstrom
Comment:
Deletions are marked like this. Additions are marked like this.
Line 35: Line 35:
Line 36: Line 37:
Line 37: Line 39:
Line 38: Line 41:
Line 39: Line 43:
Line 40: Line 45:

Brief instructions on how to get Squid to authenticate against your Debian-Edu LDAP database. This will get Squid (the web proxy server) to prompt users for the username and password they have in the skolelinux/debian-edu LDAP database.

In /etc/squid/squid.conf:

1. Set up general authentication of users via ldap_auth.

{{{# TAG: auth_param auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap auth_param basic children 30 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 1 hours}}}

2. Now that you can authenticate the users, tell it how to check that authenticated users are in a chosen group using squid_ldap_group.

{{{# TAG: external_acl_type external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -ZZ -b "ou=Group,dc=skole,dc=skolelinux,dc=no" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=People,dc=skole,dc=skolelinux,dc=no" -F uid="%s" ldap}}}

3. Create an acl (access control list) requiring first authentication and then the group check. The word "teachers" corresponds to a unix group and several can be placed here.

{{{# TAG: acl acl password proxy_auth REQUIRED acl password_group external ldap_group teachers}}}

4. Allow that acl users http access and remove the allow to schoolnet and ltspnet

{{{# TAG: http_access #http_access allow schoolnet #http_access allow ltspnet http_access allow password_group}}}

4b. As needed, comment out: #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

If you want to allow DHCP (such as through wireless access) then add:

acl localnet src 10.0.2.100-10.0.3.243

If not, then you also have to comment out the corresponding:

#http_access allow localnet

5. Restart squid.

A good way to debug this process is to run the two external tools on the command line and make sure they work. You run the command and type in parameters on the next line. If it replies OK you're good, if you get ERR or nothing at all things are not working. eg

{{{gavinm@tjener > /usr/lib/squid/ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap gavinm <mypassword> OK

gavinm@tjener > /usr/lib/squid/squid_ldap_group -ZZ -b "ou=Group,dc=skole,dc=skolelinux,dc=no" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=People,dc=skole,dc=skolelinux,dc=no" -F uid="%s" ldap gavinm teachers OK}}}

http://lists.debian.org/debian-edu/2005/03/msg00207.html