Articles December 13, 2004 at 11:01 pm

Squid Server using LDAP authentication

Add more control to your Squid proxy server by adding LDAP authentication

Using plugable authentication modules and Open Directory you can easily limit who is able to surf the web.The following are the steps I used to install squid proxy server on an OS X.3.5 Open Directory server and enable Squid to use a group created in Workgroup Manager (named “internet”) in order to authenticate and authorize users, giving only users in that group access to the internet. Additionally, I have added the steps I followed to install Dansguardian which are very minimal since Dave Lopata (pkg maintainer) has created an installer package.

Steps to install Squid proxy Server on OS X:

  1. Download squid-2.5.STABLE6.
  2. Download the PAM source code.
  3. Extract the file, and copy the libpam/include/security directory to /usr/include/ directory.
  4. Configure, compile and install squid:
./configure -prefix=/usr/local/squid -enable-basic-auth-helpers=PAM
make
make install

  1. Create the startupitem for squid:
mkdir /Library/StartupItems/squid
cd /Library/StartupItems/squid

  1. Create a new file named StartupParameters.plist with the following contents:
{
Description = "Squid Proxy Server";
Provides = ("squid");
Requires = ("Resolver");
OrderPreference = "None";
Messages =
{
start = "Starting squid server";
stop = "Stopping squid server";
restart = "Restarting squid server";
};

  1. Create a new file named squid with the following contents:
#!/bin/bash

. /etc/rc.common

StartService ()
{
if [ ${SQUID:=-NO-} = -YES- ]; then
ConsoleMessage "Starting Squid Server"
/usr/local/squid/sbin/squid -D
fi
}

StopService ()
{
ConsoleMessage "Stopping Squid Server"
/usr/local/squid/sbin/squid -k kill
}

RestartService () { StopService; StartService; }

RunService "$1"

  1. Ensure the following permissions are set on the two files:
rwxr-xr-x StartupParameters.plist
rwxr-xr-x squid

Now Install PAM_LDAP module:

  1. Download the pam_ldap source code.

  2. Extract the file and change into the a directory

guntar -xzvf pam_ldap.tgz
cd pam_ldap-173

  1. Edit the file pam_auth.c

Find the section that starts with (around line 3670)

/* group auth, per Chris's pam_ldap_auth module */
if (session->conf->groupdn != NULL)
{
rc = ldap_compare_s (session->ld,
session->conf->groupdn,
session->conf->groupattr, session->info->userdn);

Change the last line (line number 3675) so that it looks like this:

/* group auth, per Chris's pam_ldap_auth module */
if (session->conf->groupdn != NULL)
{
rc = ldap_compare_s (session->ld,
session->conf->groupdn,
session->conf->groupattr, session->info->username);

  1. Now you will need to compile and install the pam_auth module.
./configure
make

Once you have completed the make, you will need to modify the Makefile in order for the install command to be executed correctly.

Edit the Makefile by looking for the 2 lines that look something like this:

$(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so.1
$(INSTALL_DATA) -o root -g root $(srcdir)/ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf;

Replace the word “root” in the above two lines with the number “0” (this is because the install command provided with OS X looks for a UID number not name) then save and exit the file and then run the “make” command.

make install

Now copy the pam_ldap files to the correct place for os x

cd /lib/security
mv * /usr/lib/pam/
cd ..
rm -rf lib/security

Change to the /etc directory, copy the ldap.conf file to ldap.squid.conf and modify the ldap.squid.conf to match your network settings, making sure the following at least are set:

host 127.0.0.1
base dc=your,dc=domain,dc=name
pam_groupdn cn=internet,cn=groups,dc=your,dc=domain,dc=name
pam_member_attribute memberUid

Create a file called “squid” in /etc/pam.d/ directory and insert the following:

#%PAM-1.0
auth required /usr/lib/pam/pam_ldap.so config=/etc/ldap.squid.conf
account required /usr/lib/pam/pam_ldap.so config=/etc/ldap.squid.conf

Now test that the pam_auth module works correctly.

/usr/local/squid/libexec/pam_auth

Enter a valid username and password (using a user that exists in the internet group you specified in the ldap.squid.conf file above).

If the authentication succeeds, you should be greeted with “OK”, if the username or password was incorrect or does not exists on the server, you will be greeted with “ERR”, if the username exists on the server but does not exists in the internet group you have specified, you will be greeted with “ERROR: Unexpected PAM conversation. ‘You must be a memberUid of cn=internet,cn=groups,dc=your,dc=domain,dc=name to login.’ ERR”

That’s all the configuration needed for pam_ldap authentication, now you will need to modify you /usr/local/squid/etc/squid.conf file to use the pam_auth for authentication).

Configuring Squid

  1. Edit your /usr/local/squid/etc/squid.conf to include at least the following:
auth_param basic program /usr/local/squid/libexec/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl password proxy_auth REQUIRED

http_access allow password

(and below it NOT above it in the config file)

http_access deny all

  1. That’s all the configuration required for squid. Now you will need to set proper permissions of the directories used by squid.
chown -R nobody /usr/local/squid/var

  1. Create the swap directories
/usr/local/etc/sbin/squid -z

  1. Now restart the squid service SystemStarter restart squid and point your browser to it and test..
  2. If you have problems, start squid in verbose mode /usr/local/squid/sbin/squid -D -d 3 and check the output for errors.

Installing Dansguardian on OS X server.

Download the Dansguardian OS X package.

Extract the tar file and install the dansguardian package.

All Dansguardian files are installed into the /opt/dansguardian directory.

Since I am running OS X.3.5 Server, it was neccessary to modify the startup/shutdown and restart script for dansguardian. Edit the /System/Library/StartupItems/dansguardian/dansguardian file so that it will use the dansguardian-10.3 binary instead of the link to the dansgaurdian-10.3 binary file. Before I changed this, I could not get the startup script to work..

Configure (you can download a great console from here http://www.lopata.net/filemgmt/) and start dansguardian as required.

No Comments

  • Has anyone else had a problem with this? After I download the pam_ldap
    source code, I do not see any file name pam_auth.c There is a pam_ldap.c
    that I make the same changes to instead but then when I get down to the
    testing the pam_auth module, nothing happens. It doens’t prompt me for a
    user name or password and in digging around, I have no idea why. Any
    suggestions out there?

    BTW: I’m running 10.3.7, and I downloaded Linux-PAM-0.77, pam_ldap-176,
    and squid-2.5.STABLE6 to set it all up.

    • Yes you are right, must have not put the correct file name in the text, the correct file is pam_ldap.c.

      When you are testing the pam_auth module, does the prompt return to you or does the program sit there waiting??
      ie your prompt should look something like:
      #PROMPT>/usr/local/squid/libexec/pam_auth
      username [space] password
      OK

      So, when you type the command pam_auth, the cursor should then move to the beginning of the next line, you then type in your username followed by a space then enter your password, then press enter. You should be greeted with OK if authorization was successful.

      You will need to CTRL-C to exit the pam_auth program.

      Let me know if that clears things up.

      If you think your pam_auth.so file may not be correct, you may download one from here https://www.afp548.com/filemgmt/visit.php?lid=11 which I have made the required changes to and compiled.

      Cheers
      Francois.

      • That does clear things up, thank you. I was looking for some kind of prompt,
        not just a blank space… In going with your suggestion – after typing in

        /usr/local/squid/libexec/pam_auth

        then typing my username and password, I am greeted with:

        ERROR: Unexpected PAM converstaion ‘3/You must be a 1033 of
        cn=internet,cn=groups,dc=domain,dc=com to login.’
        ERR

        1033 is the GroupID of the internet group (changed domain.com above to
        protect the innocent…) My username is a member of the internet group.

        Any other suggestion (besides not being in internet group) on why this
        message would come up?

        Thanks!
        JK

        • I would just check your /etc/ldap.squid.conf file for the
          pam_member_attribute, make sure it is assigned memberUid as this is what
          OS X open directory uses.

          • I believe they are fine. In the workgroup manager, I have created a group
            called internet and it has the ID of 1033. I put that same number in
            the ldap.squid.conf file.
            Screenshot of Workgroup Manager.
            Screenshot of ldap.squid.conf
            settings.

            Any other ideas???
            Let us know.
            Thanks!
            JK

          • fherbert

            The pam_member_attribute must be set to "memberUid" NOT "1033"

            So, the lines you have in /etc/ldap.squid.conf should include:

            pam_groupdn cn=internet,cn=groups,dc=your,dc=domain,dc=name
            pam_member_attribute memberUid

            Please also advise if you compiled your own pam_ldap.so module or if you downloaded the one from afp548 – as the one on afp548 appears to be for linux os not os x…

            I have created an installer package for squid with pam_auth, i have it here : http://www.twsl.co.nz/Squid-2.5.dmg.zip

            Let me know if this helps.

            Regards
            Francois.

          • Thanks Fancois, that worked!

            JK

  • Thank for for this useful article. Very timely in fact as I have just started
    looking into using Squid.

    Is there any chance you could provide a pre-compiled distribution of Squid?
    While I (along with all Mac OS X users) have access to the developer tools, I
    don’t really want to install them on one of my live servers (on to which I do
    want to install Squid).

  • Until I get the file uploaded to afp548, you can download the Precompiled
    binary installer for Tiger from
    http://www.twsl.co.nz/Squid-2.5-Tiger.dmg.zip

Leave a reply

You must be logged in to post a comment.