Add more control to your Squid proxy server by adding LDAP authentication
Using plugable authentication modules and Open Directory you can easily limit who is able to surf the web.The following are the steps I used to install squid proxy server on an OS X.3.5 Open Directory server and enable Squid to use a group created in Workgroup Manager (named “internet”) in order to authenticate and authorize users, giving only users in that group access to the internet. Additionally, I have added the steps I followed to install Dansguardian which are very minimal since Dave Lopata (pkg maintainer) has created an installer package.
Steps to install Squid proxy Server on OS X:
- Download squid-2.5.STABLE6.
- Download the PAM source code.
- Extract the file, and copy the libpam/include/security directory to /usr/include/ directory.
- Configure, compile and install squid:
./configure -prefix=/usr/local/squid -enable-basic-auth-helpers=PAM make make install
- Create the startupitem for squid:
mkdir /Library/StartupItems/squid cd /Library/StartupItems/squid
- Create a new file named StartupParameters.plist with the following contents:
{ Description = "Squid Proxy Server"; Provides = ("squid"); Requires = ("Resolver"); OrderPreference = "None"; Messages = { start = "Starting squid server"; stop = "Stopping squid server"; restart = "Restarting squid server"; };
- Create a new file named squid with the following contents:
#!/bin/bash . /etc/rc.common StartService () { if [ ${SQUID:=-NO-} = -YES- ]; then ConsoleMessage "Starting Squid Server" /usr/local/squid/sbin/squid -D fi } StopService () { ConsoleMessage "Stopping Squid Server" /usr/local/squid/sbin/squid -k kill } RestartService () { StopService; StartService; } RunService "$1"
- Ensure the following permissions are set on the two files:
rwxr-xr-x StartupParameters.plist rwxr-xr-x squid
Now Install PAM_LDAP module:
- Download the pam_ldap source code.
- Extract the file and change into the a directory
guntar -xzvf pam_ldap.tgz cd pam_ldap-173
- Edit the file pam_auth.c
Find the section that starts with (around line 3670)
/* group auth, per Chris's pam_ldap_auth module */ if (session->conf->groupdn != NULL) { rc = ldap_compare_s (session->ld, session->conf->groupdn, session->conf->groupattr, session->info->userdn);
Change the last line (line number 3675) so that it looks like this:
/* group auth, per Chris's pam_ldap_auth module */ if (session->conf->groupdn != NULL) { rc = ldap_compare_s (session->ld, session->conf->groupdn, session->conf->groupattr, session->info->username);
- Now you will need to compile and install the pam_auth module.
./configure make
Once you have completed the make, you will need to modify the Makefile in order for the install command to be executed correctly.
Edit the Makefile by looking for the 2 lines that look something like this:
$(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so.1 $(INSTALL_DATA) -o root -g root $(srcdir)/ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf;
Replace the word “root” in the above two lines with the number “0” (this is because the install command provided with OS X looks for a UID number not name) then save and exit the file and then run the “make” command.
make install
Now copy the pam_ldap files to the correct place for os x
cd /lib/security mv * /usr/lib/pam/ cd .. rm -rf lib/security
Change to the /etc directory, copy the ldap.conf file to ldap.squid.conf and modify the ldap.squid.conf to match your network settings, making sure the following at least are set:
host 127.0.0.1 base dc=your,dc=domain,dc=name pam_groupdn cn=internet,cn=groups,dc=your,dc=domain,dc=name pam_member_attribute memberUid
Create a file called “squid” in /etc/pam.d/ directory and insert the following:
#%PAM-1.0 auth required /usr/lib/pam/pam_ldap.so config=/etc/ldap.squid.conf account required /usr/lib/pam/pam_ldap.so config=/etc/ldap.squid.conf
Now test that the pam_auth module works correctly.
/usr/local/squid/libexec/pam_auth
Enter a valid username and password (using a user that exists in the internet group you specified in the ldap.squid.conf file above).
If the authentication succeeds, you should be greeted with “OK”, if the username or password was incorrect or does not exists on the server, you will be greeted with “ERR”, if the username exists on the server but does not exists in the internet group you have specified, you will be greeted with “ERROR: Unexpected PAM conversation. ‘You must be a memberUid of cn=internet,cn=groups,dc=your,dc=domain,dc=name to login.’ ERR”
That’s all the configuration needed for pam_ldap authentication, now you will need to modify you /usr/local/squid/etc/squid.conf file to use the pam_auth for authentication).
Configuring Squid
- Edit your /usr/local/squid/etc/squid.conf to include at least the following:
auth_param basic program /usr/local/squid/libexec/pam_auth auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl password proxy_auth REQUIRED http_access allow password
(and below it NOT above it in the config file)
http_access deny all
- That’s all the configuration required for squid. Now you will need to set proper permissions of the directories used by squid.
chown -R nobody /usr/local/squid/var
- Create the swap directories
/usr/local/etc/sbin/squid -z
- Now restart the squid service SystemStarter restart squid and point your browser to it and test..
- If you have problems, start squid in verbose mode /usr/local/squid/sbin/squid -D -d 3 and check the output for errors.
Installing Dansguardian on OS X server.
Download the Dansguardian OS X package.
Extract the tar file and install the dansguardian package.
All Dansguardian files are installed into the /opt/dansguardian directory.
Since I am running OS X.3.5 Server, it was neccessary to modify the startup/shutdown and restart script for dansguardian. Edit the /System/Library/StartupItems/dansguardian/dansguardian file so that it will use the dansguardian-10.3 binary instead of the link to the dansgaurdian-10.3 binary file. Before I changed this, I could not get the startup script to work..
Configure (you can download a great console from here http://www.lopata.net/filemgmt/) and start dansguardian as required.
Has anyone else had a problem with this? After I download the pam_ldap
source code, I do not see any file name pam_auth.c There is a pam_ldap.c
that I make the same changes to instead but then when I get down to the
testing the pam_auth module, nothing happens. It doens’t prompt me for a
user name or password and in digging around, I have no idea why. Any
suggestions out there?
BTW: I’m running 10.3.7, and I downloaded Linux-PAM-0.77, pam_ldap-176,
and squid-2.5.STABLE6 to set it all up.
Yes you are right, must have not put the correct file name in the text, the correct file is pam_ldap.c.
When you are testing the pam_auth module, does the prompt return to you or does the program sit there waiting??
ie your prompt should look something like:
#PROMPT>/usr/local/squid/libexec/pam_auth
username [space] password
OK
So, when you type the command pam_auth, the cursor should then move to the beginning of the next line, you then type in your username followed by a space then enter your password, then press enter. You should be greeted with OK if authorization was successful.
You will need to CTRL-C to exit the pam_auth program.
Let me know if that clears things up.
If you think your pam_auth.so file may not be correct, you may download one from here https://www.afp548.com/filemgmt/visit.php?lid=11 which I have made the required changes to and compiled.
Cheers
Francois.
That does clear things up, thank you. I was looking for some kind of prompt,
not just a blank space… In going with your suggestion – after typing in
/usr/local/squid/libexec/pam_auth
then typing my username and password, I am greeted with:
ERROR: Unexpected PAM converstaion ‘3/You must be a 1033 of
cn=internet,cn=groups,dc=domain,dc=com to login.’
ERR
1033 is the GroupID of the internet group (changed domain.com above to
protect the innocent…) My username is a member of the internet group.
Any other suggestion (besides not being in internet group) on why this
message would come up?
Thanks!
JK
I would just check your /etc/ldap.squid.conf file for the
pam_member_attribute, make sure it is assigned memberUid as this is what
OS X open directory uses.
I believe they are fine. In the workgroup manager, I have created a group
called internet and it has the ID of 1033. I put that same number in
the ldap.squid.conf file.
Screenshot of Workgroup Manager.
Screenshot of ldap.squid.conf
settings.
Any other ideas???
Let us know.
Thanks!
JK
The pam_member_attribute must be set to "memberUid" NOT "1033"
So, the lines you have in /etc/ldap.squid.conf should include:
pam_groupdn cn=internet,cn=groups,dc=your,dc=domain,dc=name
pam_member_attribute memberUid
Please also advise if you compiled your own pam_ldap.so module or if you downloaded the one from afp548 – as the one on afp548 appears to be for linux os not os x…
I have created an installer package for squid with pam_auth, i have it here : http://www.twsl.co.nz/Squid-2.5.dmg.zip
Let me know if this helps.
Regards
Francois.
Thanks Fancois, that worked!
JK
Thank for for this useful article. Very timely in fact as I have just started
looking into using Squid.
Is there any chance you could provide a pre-compiled distribution of Squid?
While I (along with all Mac OS X users) have access to the developer tools, I
don’t really want to install them on one of my live servers (on to which I do
want to install Squid).
I have created an installer for this. Until it is uploaded to the file section of afp548, please download from here : http://www.twsl.co.nz/Squid-2.5.dmg.zip
Regards
Francois.
You have installed the package compiled for 10.3 onto a machine running
10.4. I will update the installer package to be compatible with tiger server.
Until I get the file uploaded to afp548, you can download the Precompiled
binary installer for Tiger from
http://www.twsl.co.nz/Squid-2.5-Tiger.dmg.zip