Configure squid for LDAP authentication using squid_ldap_auth helper

My last post was about Squid proxy authentication using ncsa_auth helper. This time I will show you how to configure squid for LDAP authentication.

The Lightweight Directory Access Protocol, (LDAP) is a networking protocol for querying and modifying directory services running over TCP/IP.

LDAP server (such as OpenLDAP or others) uses the Lightweight Directory Access Protocol. In order to use Squid LDAP authentication you need to tell which program to use with the auth_param option in squid.conf. You specify the name of the program, plus command line options.

Squid comes with squid_ldap_auth helper. This helper allows Squid to connect to a LDAP directory to validate the user name and password of Basic HTTP authentication. This helper is located at /usr/local/squid/libexec/ or /usr/lib/squid or /usr/lib64/squid/ directory.

Step # 1: Make sure squid can talk to LDAP server

Before configuring makes sure that the squid is working with LDAP auth. Type the following command:
# /usr/lib/squid/squid_ldap_auth -b "dc=nixcraft,dc=com" -f "uid=%s"

Once you hit enter key you need to provide UID and password using following format:

If it was able to connect to LDAP server you will see “ok“.

Step # 2: Configuration

Open your squid.conf file:
# vi /etc/squid/squid.conf

Next you need to add following code which specifies the base DN under where your users are located and the LDAP server name.
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=nixcraft,dc=com" -f "uid=%s" -h
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
http_access deny all

Save and close the file. Restart Squid to take effect.
# /etc/init.d/squid restart

Zimbra LDAP With Squid

You need to use it as follows
/usr/lib/squid/squid_ldap_auth -v 3 -b dc=zimbra,dc=example,dc=com -f "(&(uid=%s)(objectClass=zimbraAccount))" -h

Squid authentication against Microsoft’s Active Directory

I have not used group_ldap_auth helper against Microsoft’s Active Directory. But someone (user) pointed out the following solution. Add following configuration directive to squid.conf:

ldap_auth_program /usr/lib/squid/group_ldap_auth -b dc=my-domain,dc=de -h \ -p 636 -g distinguishedName -d CN=lookup,OU=Services,\
OU=Users,DC=my-domain,DC=de -w lookup -u cn -m member -o group -S -l \

acl ldap_backoffice ldap_auth static 'CN=BackOffice,OU=Groups,dc=my-domain,dc=de'
acl ldap_management ldap_auth static 'CN=Management,OU=Groups,dc=my-domain,dc=de'
acl ldap_it-service ldap_auth static 'CN=IT-Service,OU=Groups,dc=my-domain,dc=de'
acl ldap_development ldap_auth static 'CN=DEVELOPMENT,OU=Groups,dc=my-domain,dc=de'

http_access allow ldap_development
http_access allow ldap_backoffice
http_access allow ldap_management
http_access allow ldap_it-service
http_access deny all

Further readings

  • man squid_ldap_auth
  • man group_ldap_auth

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 18 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
18 comments… add one
  • tt binda Mar 27, 2008 @ 10:33

    Ehi! If you have any problem, start to try with -v 3 instead of ldap version 2.
    I could bind to my ldap server in reason of this.
    It is a good start this try:
    # /usr/lib/squid/ldap_auth -b “dc=mydc” -D cn=admin,dc=mydc -w passwd -H ldap://ldapserver -v 3 -f “uid=%s”

    when typed name and password you must see
    OK. Be sure to have typed name and password with a blank separator.

    • Manoranjan Apr 27, 2011 @ 11:29

      thanks a ton bro…. mine started workin with -v 3
      auth_param basic program /usr/lib64/squid/squid_ldap_auth -b dc=MYDOM -D cn=root,dc=MYDOM -w password -H ldap:// -v 3 -f uid=%s

  • Deepak Mar 31, 2008 @ 5:13

    IF i configured Active directory Ldap with Squid for authendication than ,how can i block internet access as per user ??? want to block internet access as per user.

  • John J. Martinez Dec 13, 2008 @ 20:46

    Muchas gracias!!
    Very thanks!!

  • Paul Dec 15, 2008 @ 10:04

    Excellent! I also had to specify version 3 before my query would work. Thanks.

  • rajkumar Dec 16, 2008 @ 14:39

    Hi Friends,

    this is the first time i’m posting query.i need in help for configure squid proxy server . i.e, i want to block url and download by user based , not based on ip address. that while i’m trying to open IE (or) FIREFOX (or) OPERA , it have to ask for username and password , the permission will be granted accordimg to user. if any user can login in any system but proxy have to block according to their username and password. i need squid proxy based on user restriction not on ip address restricting. please try to solve my problem by sending configuration method to me. thank you friends

  • eder Dec 22, 2008 @ 14:21

    I’m trying to auth against zimbra with this command :

    /usr/lib64/squid/squid_ldap_auth -v 3 -b dc=zimbra,dc=mydomain,dc=com,dc=br -f “(&(uid=%s)(objectClass=zimbraAccount))” -h

    after inserting user pass and user@domain I get this answer.

    squid_ldap_auth: WARNING, LDAP search error ‘No such object’
    ERR Success

    could you help me, please?

  • Zied Fakhfakh May 19, 2009 @ 7:21

    I got this error too,

    and I’m pretty sure it’s a permission issue. As the LDAP server from LDAP won’t let you see (read) the userPassword Attribute.

    Should we create a squid user on ldap, give him the permission to read userPassword and uid ?

    any idea is welcome,

  • Deiveegan.S Sep 19, 2009 @ 6:09

    hello sir

    how to configure LDAP in Red hat Linux 5.3 .then how to make centralized login for windows and linux .Here we are having Nasstore ,Linux mail server, squid and one windows client . the user should login in one user name and password to all the system above please give me your suggestion and tutorial to do ..which flavor is essential for LDAP Fedora or red hat Linux

    Thanking you,

    with regards
    SASTRA University,
    Mobile :09843015235

  • Niraj M. Vara Sep 24, 2009 @ 5:27

    this is perfect working for squid ldap authentication, my query is that we have any perl or cgi script which can change users password from anywhere.

  • khaled Jan 10, 2010 @ 10:23

    i can ‘nt bind the server zimbra with php what i must to do?

  • cristian Jan 18, 2010 @ 16:52

    Its posible to setup squid with zimbra with enable/disable users suport only for internet access ?

  • Markus Jul 12, 2011 @ 21:37

    Hello everyone,

    please consider the following line in the squid.conf, if you try to authenticate against ldap server.
    auth_param basic utf8 on

    If the browser authentification is transmitted via iso 8859-1 (west europe) and ldap only understands UTF-8, some characters will not be correctly sent to and interpreted by the ldap server.
    add the line and give it a try…

    with kind regards

    Markus (Germany)

  • Sagar Jul 23, 2011 @ 13:12

    while trying to communicate with the LDAP server, am getting an ERR.

    /usr/local/squid/libexec/squid_ldap_auth -b o=xyz,c=IN -D cn=Manager,o=xyz,c=IN -w adDs7w543FDsf -h
    Where r we going wrong? However we are able to telnet LDAP server on the prescribed port…..
    Can anyone help on this?????

  • Rodrigo Aug 6, 2012 @ 17:15

    Hello !
    With your ldap_auth doc is working.
    I get login my users with auth.
    Very good is tip.

  • srinivas Apr 29, 2013 @ 11:48

    this authentication process is working fine.

    Can you please tell me how can i block site for specific users .

    • srinivas Apr 29, 2013 @ 14:03

      Now it is working ,By using these below lines,

      acl blockusers proxy_auth “/usr/local/etc/blockusers”
      acl badsite dstdomain
      http_access deny blocksers badsite

      i entered some users from ldap in to /usr/local/etc/blockusers

  • zahadom Jun 3, 2013 @ 11:50

    Very good job!!

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum