My last post was about Squid proxy authentication using ncsa_auth helper. This time I will show you how to configure squid for LDAP authentication.
The Lightweight Directory Access Protocol, (LDAP) is a networking protocol for querying and modifying directory services running over TCP/IP.
LDAP server (such as OpenLDAP or others) uses the Lightweight Directory Access Protocol. In order to use Squid LDAP authentication you need to tell which program to use with the auth_param option in squid.conf. You specify the name of the program, plus command line options.
Squid comes with squid_ldap_auth helper. This helper allows Squid to connect to a LDAP directory to validate the user name and password of Basic HTTP authentication. This helper is located at /usr/local/squid/libexec/ or /usr/lib/squid or /usr/lib64/squid/ directory.
Step # 1: Make sure squid can talk to LDAP server
Before configuring makes sure that the squid is working with LDAP auth. Type the following command:
# /usr/lib/squid/squid_ldap_auth -b "dc=nixcraft,dc=com" -f "uid=%s" ldap.nixcraft.com
Once you hit enter key you need to provide UID and password using following format:
USERID blankspace PASSWORD
If it was able to connect to LDAP server you will see “ok“.
Step # 2: Configuration
Open your squid.conf file:
# vi /etc/squid/squid.conf
Next you need to add following code which specifies the base DN under where your users are located and the LDAP server name.
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=nixcraft,dc=com" -f "uid=%s" -h ldap.nixcraft.com
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
http_access deny all
Save and close the file. Restart Squid to take effect.
# /etc/init.d/squid restart
Zimbra LDAP With Squid
You need to use it as follows
/usr/lib/squid/squid_ldap_auth -v 3 -b dc=zimbra,dc=example,dc=com -f "(&(uid=%s)(objectClass=zimbraAccount))" -h zimbra.example.com
Squid authentication against Microsoft’s Active Directory
I have not used group_ldap_auth helper against Microsoft’s Active Directory. But someone (user) pointed out the following solution. Add following configuration directive to squid.conf:
ldap_auth_program /usr/lib/squid/group_ldap_auth -b dc=my-domain,dc=de -h \ server.my-domain.de -p 636 -g distinguishedName -d CN=lookup,OU=Services,\ OU=Users,DC=my-domain,DC=de -w lookup -u cn -m member -o group -S -l \ /var/log/squid/ldaplog acl ldap_backoffice ldap_auth static 'CN=BackOffice,OU=Groups,dc=my-domain,dc=de' acl ldap_management ldap_auth static 'CN=Management,OU=Groups,dc=my-domain,dc=de' acl ldap_it-service ldap_auth static 'CN=IT-Service,OU=Groups,dc=my-domain,dc=de' acl ldap_development ldap_auth static 'CN=DEVELOPMENT,OU=Groups,dc=my-domain,dc=de' http_access allow ldap_development http_access allow ldap_backoffice http_access allow ldap_management http_access allow ldap_it-service http_access deny all
- man squid_ldap_auth
- man group_ldap_auth