Using Open Directory to authenticate Squid proxy

[fherbert]

Let me first describe the network setup:
1. Firewall(IPTables)/proxy(Squid)/content filter(Dansguardian) server running Fedora Core 1.

2. OS X.3 Server on G5, running open directory to store users accounts (with password server).

I want to be able to use the squid_ldap_auth module included with the squid package (default fedorea core 1 install) to authenticate proxy users using the information from the OS X.3 server.

I have managed to use ldapsearch to get information from the OS X.3 server using the following command:

ldapsearch -x -d dc=my,dc=domain,dc=name -h osxserver.my.domain.name uid=username

This command connects to the OS X server and returns information regarding the user whos username matches the “username” variable.

II then try to run squid_ldap_auth in command line mode to test the connection using the following command:

squid_ldap_auth -b cn=users,dc=my,dc=domain,dc=name osxserver.my.domain.name

Regardless of the username and password combination, I cannot get the authentication to work – I always get ERR instead of OK.

Just to check my parameters, I setup and openldap server on the fedora box and tested squid_ldap_auth – it worked fine.

Is this an issue with password server?? It would be extremely helpful if I could implement this feature.

[fherbert]

I’m not sure which LDAP CLI you mean – but i have used ldapsearch to authenticate to the OS X server using the following command:

ldapsearch -x -D uid=validuser,cn=users,dc=my,dc=domain,dc=name -W -b dc=my,dc=domain,dc=name -h osxserver.my.domain.name uid=username

This prompts me for a ldap password for username “validuser”, the results of my search are then displayed (indicating that I have succesfully authenticated to the OS X ldap server).

I have had a quick look at the pam module for squid. Ideally i would like to be able to place internet users in an “internet” group on the OS X open directory and then only allow users in that group access to the internet through squid. I can’t see anywhere using the pam module where I can set this up..

I am still looking into the Pam module though, and have not managed to get it working yet, I’m not even sure I can use it to authenticate to a remote machine. I have created a file /etc/pamd.d/squid, but am not sure how I tell the module to use a remote server (osxserver.my.domain.name) for authentication. It currently only authenticates against local accounts.

[fherbert]

Ok. So I have managed to get pam working to authenticate using accounts from the OS X server. The only issue I have now is how to only allow access to the members of the internet group.

[fherbert]

Well… i have managed to sort out how to get pam_auth to authenticate using groups… in my /etc/ldap.conf file i have the following lines:

# Group to enforce membership of
pam_groupdn cn=internet,cn=groups,dc=test,dc=co,dc=nz

# Group member attribute
pam_member_attribute memberUid

The only trouble is, the pam_auth module looks for the memberUid which matches the users FULL dn ie it is looking for uid=validuser,cn=users,dc=test,dc=co,dc=nz
BUT apple only have the uid ie validuser.

i can manually enter the full dn of the user into the os x ldap directory, but it would be nice if we can use the data created when you enter a user in a group using workgroup manager.

Any ideas???

[fherbert]

Success!!!

I have had to download and modify the source code of the pam_ldap.so module to make it use the username instead of the usersdn, then compiled the module.

[fherbert]

No worries, I have been keeping documentation of my progress. I have created a new article and submitted it.
Any chance I could upload the modified pam_ldap.so file to this website for people to download and use if they want??

[Anonymous]

try this in your squid.conf:

auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b “cn=users,dc=example,dc=org” ldap.example.org

and if you want to restrict it to members of a specific ldap group, ldapusers in this example, place this in your ACL configuration:

external_acl_type ldap_group %LOGIN /usr/local/squid/libexec/squid_ldap_group -b “cn=groups,dc=example,dc=org” -f “(&(memberuid=%v)(cn=proxyusers))” -h ldap.example.org

acl proxyusers external ldap_group proxyusers

[Author]

Posts