Differences between revisions 5 and 7 (spanning 2 versions)
Revision 5 as of 2010-12-29 04:29:40
Size: 2696
Editor: ?DavidGoldstrom
Comment:
Revision 7 as of 2011-01-03 08:15:29
Size: 2734
Comment: formatting corrections
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:
{{{# TAG: auth_param {{{#! TAG: auth_param
Line 16: Line 16:
{{{# TAG: external_acl_type {{{#! TAG: external_acl_type
Line 21: Line 21:
{{{# TAG: acl {{{#! TAG: acl
Line 28: Line 28:
{{{# TAG: http_access {{{#! TAG: http_access
Line 34: Line 34:
{{{
Line 35: Line 36:
Line 36: Line 38:
Line 37: Line 40:
}}}
Line 38: Line 42:
{{{
Line 39: Line 44:
}}}
Line 40: Line 46:
{{{
Line 41: Line 48:
}}}
Line 50: Line 57:
{{{gavinm@tjener > /usr/lib/squid/ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap {{{
gavinm@tjener > /usr/lib/squid/ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap

Brief instructions on how to get Squid to authenticate against your Debian-Edu LDAP database. This will get Squid (the web proxy server) to prompt users for the username and password they have in the skolelinux/debian-edu LDAP database.

In /etc/squid/squid.conf:

1. Set up general authentication of users via ldap_auth.

auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap
auth_param basic children 30
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 1 hours

2. Now that you can authenticate the users, tell it how to check that authenticated users are in a chosen group using squid_ldap_group.

external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -ZZ -b "ou=Group,dc=skole,dc=skolelinux,dc=no" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=People,dc=skole,dc=skolelinux,dc=no" -F uid="%s" ldap

3. Create an acl (access control list) requiring first authentication and then the group check. The word "teachers" corresponds to a unix group and several can be placed here.

acl password proxy_auth REQUIRED
acl password_group external ldap_group teachers

4. Allow that acl users http access and remove the allow to schoolnet and ltspnet

#http_access allow schoolnet
#http_access allow ltspnet
http_access allow password_group

4b. As needed, comment out:

#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network

#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

#acl localnet src 192.168.0.0/16        # RFC1918 possible internal network

If you want to allow DHCP (such as through wireless access) then add:

acl localnet src 10.0.2.100-10.0.3.243

If not, then you also have to comment out the corresponding:

#http_access allow localnet

5. Restart squid.

A good way to debug this process is to run the two external tools on the command line and make sure they work. You run the command and type in parameters on the next line. If it replies OK you're good, if you get ERR or nothing at all things are not working. eg

gavinm@tjener > /usr/lib/squid/ldap_auth -ZZ -b "ou=People,dc=skole,dc=skolelinux,dc=no" ldap
gavinm <mypassword>
OK

gavinm@tjener > /usr/lib/squid/squid_ldap_group -ZZ -b "ou=Group,dc=skole,dc=skolelinux,dc=no" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=People,dc=skole,dc=skolelinux,dc=no" -F uid="%s" ldap
gavinm teachers
OK

http://lists.debian.org/debian-edu/2005/03/msg00207.html