How to get Squid on another machine to authenticate to an Open Directory LDAP server.
While this example shows how to do this with a Red Hat box, the process is pretty much the same for any Unix/Linux.Setup is as follows:
Fedora Core 1 with standard Squid install.
OS X.3.5 Server configured as Open Directory Master.
Create an internet (or whatever you want to call it) group on the OS X server using workgroup manager (for this example I will be using a group name internet).
Add group members who you wish to give internet access via the squid proxy server.
Take note of your servers base DN (Distinguished Name). Ie if your domain name is test.co.nz, then your base DN is: dc=test, dc=co, dc=nz
That’s all the configuration you need to do on the OS X server. Now move to the squid proxy server.
I am assuming you are using fedora core 1 or some variant of red hat, if not, the relevant paths to files I references here may be different. However the basic Squid setup should be the same.
Make a copy of the /etc/ldap.conf file for your squid authentication:
cp /etc/ldap.conf /etc/ldap.squid.conf
Then edit the /etc/ldap.squid.conf using your favourite text editor (I use vi).
Change the following lines to match your setup:
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
# The distinguished name of the search base.
# Group to enforce membership of
# Group member attribute
Making sure that your squid server can resolve osxserver.test.co.nz to the ip address of your server, if not; add the ip address of your osx server here instead of the dns name.
Create the pam squid configuration file:
Insert the following information:
auth required /lib/security/pam_ldap.so config=/etc/ldap.squid.conf
account required /lib/security/pam_ldap.so config=/etc/ldap.squid.conf
You will now need to either modify your own pam_ldap.so source code (available here http://www.padl.com/download/pam_ldap.tgz ) so that when performing group authorisation, it checks for userid and not the users full dn, compile the module, or download the one I made earlier from here : http://www.twsl.co.nz/files/pam_ldap.so
Copy the new file into the /lib/security directory, replacing the old one.
Test the authentication:
At the new line, enter a valid username and password, making sure the user exists in the internet group on the OS X server. The format required is , ie:
You should then be greeted with OK if the authentication was successful, ERR if username or password was incorrect, or “ERROR: Unexpected PAM converstaion ‘3/You must be a memberUid of cn=internet,cn=groups,dc=test,dc=co,dc=nz to login.’” If the user entered was not a member of the internet group.
Once you have confirmed that the pam_ldap authentication works ok, you can then modify the squid configuration to use it:
I am assuming you have some knowledge of squid configuration and will only note the lines that need to be present in order for pam_auth to be used. The following lines need to be added/modified in /etc/squid.conf
auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl password proxy_auth REQUIRED
http_access allow password
http_access deny all
That’s all the lines that need to be modified in squid.conf, taking note that if there is a http_access allow all before the http_access deny all line, then your proxy server will allow all connections.
Restart squid proxy server:
Service squid restart
Test the configuration, making sure you point your browser to the proxy server. Of course, to make this all worthwhile, you will need to block port 80 on your firewall, so that clients on your lan cannot bypass the proxy server.