Articles September 8, 2004 at 6:41 am

Using OS X Open Directory to authenticate Squid Proxy Server

How to get Squid on another machine to authenticate to an Open Directory LDAP server.

While this example shows how to do this with a Red Hat box, the process is pretty much the same for any Unix/Linux.Setup is as follows:

Fedora Core 1 with standard Squid install.
OS X.3.5 Server configured as Open Directory Master.

Create an internet (or whatever you want to call it) group on the OS X server using workgroup manager (for this example I will be using a group name internet).
Add group members who you wish to give internet access via the squid proxy server.

Take note of your servers base DN (Distinguished Name). Ie if your domain name is test.co.nz, then your base DN is: dc=test, dc=co, dc=nz
That’s all the configuration you need to do on the OS X server. Now move to the squid proxy server.
I am assuming you are using fedora core 1 or some variant of red hat, if not, the relevant paths to files I references here may be different. However the basic Squid setup should be the same.
Make a copy of the /etc/ldap.conf file for your squid authentication:


cp /etc/ldap.conf /etc/ldap.squid.conf

Then edit the /etc/ldap.squid.conf using your favourite text editor (I use vi).

Change the following lines to match your setup:


# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host osxserver.test.co.nz

# The distinguished name of the search base.
base dc=test,dc=co,dc=nz

# Group to enforce membership of
pam_groupdn cn=internet,cn=groups,dc=test,dc=co,dc=nz

# Group member attribute
pam_member_attribute memberUid

Making sure that your squid server can resolve osxserver.test.co.nz to the ip address of your server, if not; add the ip address of your osx server here instead of the dns name.

Create the pam squid configuration file:


vi /etc/pam.d/squid

Insert the following information:


#%PAM-1.0
auth required /lib/security/pam_ldap.so config=/etc/ldap.squid.conf
account required /lib/security/pam_ldap.so config=/etc/ldap.squid.conf

You will now need to either modify your own pam_ldap.so source code (available here http://www.padl.com/download/pam_ldap.tgz ) so that when performing group authorisation, it checks for userid and not the users full dn, compile the module, or download the one I made earlier from here : http://www.twsl.co.nz/files/pam_ldap.so

Copy the new file into the /lib/security directory, replacing the old one.

Test the authentication:

/usr/lib/squid/pam_auth

At the new line, enter a valid username and password, making sure the user exists in the internet group on the OS X server. The format required is , ie:

username password

You should then be greeted with OK if the authentication was successful, ERR if username or password was incorrect, or “ERROR: Unexpected PAM converstaion ‘3/You must be a memberUid of cn=internet,cn=groups,dc=test,dc=co,dc=nz to login.’” If the user entered was not a member of the internet group.

Once you have confirmed that the pam_ldap authentication works ok, you can then modify the squid configuration to use it:

I am assuming you have some knowledge of squid configuration and will only note the lines that need to be present in order for pam_auth to be used. The following lines need to be added/modified in /etc/squid.conf


auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

acl password proxy_auth REQUIRED

http_access allow password
http_access deny all

That’s all the lines that need to be modified in squid.conf, taking note that if there is a http_access allow all before the http_access deny all line, then your proxy server will allow all connections.

Restart squid proxy server:

Service squid restart

Test the configuration, making sure you point your browser to the proxy server. Of course, to make this all worthwhile, you will need to block port 80 on your firewall, so that clients on your lan cannot bypass the proxy server.

No Comments

  • I am currently in the process of creating a document for those people wishing to run squid on the OS X server and use ldap to authenticate the squid users… will be completed in a few days..

    Cheers
    Francois.

    • Greetings

      why did you use the PAM module and not the LDAP module?

      I have seen all types of documentation for squid and authentication, but nothing for squid authenticating against and OSX LDAP server without using PAM.
      ./configure –enable-basic-auth-helpers=LDAP

      auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b “ou=people, dc=example, dc=com” ldap.example.com

      I can get the browser to request the password, yet it does not accept it. when I change auth style to /etc/passwd it works fine.
      help

      -j

Leave a reply

You must be logged in to post a comment.