Thursday, December 20, 2007

Squid, LDAP and Active Directory

Below is procedure i used in integrating squid with OpenLDAP, and the Active Directory with the information gathered from numerous google searches, and various links from friends..

Integrating squid with LDAP ( I used OpenLDAP 2.3, on ubuntu 7.10 ) is quite straight-forward..
I used a squid 2.5 on a RHEL4 for this..

Below are the steps i followed..
1. Installing OpenLDAP.
I used the apt to install openldap server ( slapd )..which was quite easy..
I had below in my default configuration, which allows everyone to read from the LDAP db..,without requiring to authenticate.
access to *
by dn="cn=admin,dc=multios,dc=net" write
by * read
2. Installing PHP-LDAP-Admin
I believe it's possible to install PHPLDAPAdmin from apt..but i was too dumb not to check it there, i downloaded it directly from the site and configured it.. I only had to copy
config.php.example to config.php and put the below entries..Was not difficult at all..
$ldapservers->SetValue($i,'server','name','My LDAP Server');
You can put any name for 'My LDAP Server'. It's just a name so you can identify between multiple LDAP servers you can manage from PHPLDAPAdmin panel.
$ldapservers->SetValue($i,'server','host','127.0.0.1');
In my case the LDAP server was running on the same host as PHPLDAPAdmin, therefore the '127.0.0.1' is used.. To point it to a different host, you can simply put the host name-as long as the name resolution is working- or ip.
$ldapservers->SetValue($i,'server','port','389');
I think this is the standard LDAP port.. If your LDAP service is running on a different port only, you will have to change this.
$ldapservers->SetValue($i,'server','base',array('dc=multios,dc=net'));
Here you have to specify the base of your LDAP hierarchy.. This is what i preferred as mine..
Interesting articles i found are here and here.
$ldapservers->SetValue($i,'login','dn','cn=admin,dc=multios,dc=net');
This is the LDAP db administrator account..PHPLDAPAdmin use this, if you plan to update LDAP entries using PHPLDAPAdmin ( believe me, you'll need this.. )

You can even explore your active directory LDAP with this too.. Below is my configuration on PHPLDAPAdmin to work with a Active Directory.
$ldapservers->SetValue(2,'server','name','Active Directory');
$ldapservers->SetValue(2,'server','host','192.168.128.141');
$ldapservers->SetValue(2,'server','port','389');
$ldapservers->SetValue(2,'server','base',array('dc=msmgt,dc=local'));
$ldapservers->SetValue(2,'login','dn','cn=Administrator,cn=Users,dc=msmgt,dc=local');
Notice the "2" on each line...You have to assign different values for this, to each connection you configure on PHPLDAPAdmin. At the begining this is set to a "0". You can simply keep on increasing, as it works as some sort of an array -i think..

3. Configuring Squid to use OpenLDAP for authentication..
As i mentioned above, i used squid-2.5 on a RHEL4 box.. There was this "squid_ldap_auth" authentication helper module out of the box. The funny thing is i installed squid 2.6 on ubuntu from apt, and there's no such authenticator.. I searched around a lot, but had no luck finding the exact thing, but i found a lot of similar modules, which -sadly- did not work for me..

Below are the squid settings..
auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "cn=Internet,dc=multios,dc=net" -f uid=%s lnx1.multios.net
This can be tested before actually putting on to the squid.conf in below way..
/usr/lib/squid/squid_ldap_auth -v 3 -b "cn=Internet,dc=multios,dc=net" -f uid=%s lnx1.multios.net
then you have to type a LDAP username and the associated password with a space in between.
If it prints "OK" to the terminal, you are set..Otherwise check the parameters with your setup..
-v - to use LDAP version 3
-b - is the search base. You have to make sure your useraccounts are below this level in the LDAP hierarchy, or else the authenticator will never see your accounts when it's querying the LDAP server.
-f - search filter. LDAP objects have lot of attributes on them. I used posixAccount as user accounts and i chose the "uid" attribute to be used as the username to authenticate with the proxy.. If you wish to use a different attribute you have to specify it here.. Leave =%s part intact, it tells the authenticator to match the user input with the uid.

If you configured your LDAP without allowing anonymous queries, then you will have to specify
-D and -w or -W with appropriate values, ( a username and the password that is allowed to query the LDAP database )

Took me a while to get it to work...but finally used "-v 3" which made it work. Quite helpful information was found from here.
Worked quite fine..

I wanted to have a web based interface, so that the users them selves can change their passwords..After a bit of googling around found this nice php program developed by Karyl F. Stein, which does exactly the same thing.. It is no longer maintained though, but it worked nicely for me..
This requires that you allow authenticated users to change their password on the LDAP. Below on the slapd.conf did it for me.
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=multios,dc=net" write
by anonymous auth
by self write
by * none
If i recall correctly, i didn't have to put it manually, it was on the default settings.

To configure phpLdapPasswd i had to make the below changes to the config.php
$LDAPSERVER = "ldap://lnx1.multios.net/";
$LDAPPORT = 389;
$LDAPBASEDN = "dc=multios,dc=net";
This program has a nice feature, if a user forgets the password, they can request a reset, and the new auto-generated password is e-mailed to them, provided that your users have their email address on the LDAP db.
You have to put the below settings on config.php to make it work, but i didn't test this yet.
Default attribute it searches is "mail", but if you want to change it, i believe you can set it from the config.php as below.
$RESETBINDDN = "cn=admin,dc=multios,dc=net";
$RESETBINDPW = "redhat";
$MAILATTRIBUTE = mail;
Finally i wanted to integrate squid with an Active Directory Server, so in a MS Windows environment, user/password information can be centrally handled from the domain controller it-self.
I believe there are two methods for this, or at least i have tried two methods successfully..

1. To use ldap,kerberos, smb-winbind, ntlm_auth
This method, i used some time back and was a little difficult to get it to work..
It depends on all the above components, and even the system times of the squid server and the Active Directory has to be the same, for this to work.. But i think, it's possible to achieve a single-sign-on setup for the proxy with this..
May be i'll post the steps i took for this on a separate post..

2. To use ldap, squid_ldap_auth
This method is quite straight-forward, and comparatively easier than the winbind method. All you have to do is put the below, in the squid.conf for auth_param
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=msmgt,dc=local" -D "cn=Administrator,cn=Users,dc=msmgt,dc=local" -w "vcs123" -f sAMAccountName=%s -h ad.multios.net
A very helpful guide is here.

-b as explained above is the search base. My Active Directory base was msmgt.local

-D is used to authenticate on to the LDAP as Active Directory LDAP service doesn't allow anonymous queries. I used the domain Administrator password, which is not advisable..You can simply create a user on Active Directory just for this..user doesn't need to have administrative privileges.

-w is the Active Directory Administrator password.. It is possible to put this on to a separate file and store the password there with -W, which i didn't try.

-f as above is the search filter "sAMAccountName" is an attribute under which the Active Directory login name is kept.

-h specifies the Active Directory hostname, ip should work here too..

All this worked quite nicely and comparatively easier with other methods..
I have yet to try out the helper module "squid_ldap_group" and the external_acls on squid..
I will be posting the findings later on, once i try that out..

till then, cheers..!

9 comments:

Carlos Gomez Gomez said...

http://www.karylstein.com/phpLdapPasswd link is down and I need phpLdapPasswd

can you share it to me?

Sorry my english

LNCTechnologies said...

I am configuring the config.php but do not understand what I have to comment out? I followed example to suit my set up. I have apache running and openldap with users. I am using fedora 8 on virtual pc. also, i have not figured out how to see phpldapadmin on web browser. If you can help I appriciate any assistance.

Yajith Ajantha said...

Sorry for the very delayed replies. I was expecting blogger to notify me from email, when someone comments.

@Carlos Gomez Gomez: I just checked the link, and it seems to be active now. Perhaps it was a temporary error when you tried it.

@LNCTechnologies: The example here i tried out on openldap running on ubuntu 7.10, but im sure the steps should be quite close if not exactly the same in setting up phpldapadmin. Just change the mentioned lines from the config.php and leave the rest with the default values.

On Fedora 8, to access phpldapadmin via the browser,
1. extract the files in to /var/www/html/phpldapadmin
2. make sure the httpd is running
service httpd status
3. You should be able to access the phpldapadmin by http://localhost/phpldapadmin

If you can give more details, i might be able to help more.

Please reach me at yajith@gmail.com ( yajith at gmail dot com ), because i don't seem to have the necessary settings for blogger to notify me when you comment.

Good luck.

Athanassios Bakalidis said...

Thank you so much for the posting. It has been very helpful. I am trying to make squid authenticate users from the company AD and thanks to you I am almost there.

Best regards

Yajith Ajantha said...

@Athanassios you are quite welcome and happy to hear that the post helped you..
you might already know this, that there is another method involving windind as i mentioned in the post. Its possible to achieve single sign-on level in that way i believe with the kerberos support. Did it sometime back, and i will put another post when i try it from scratch.

Marco B. said...

Hi, very useful article.
But now I have a problem.

I need to change a password for the same user (same UID) in more OU.

How can I implement this?

In the file functions.php there is a control if you insert an UID that there is more than one time.
So I comment that, but I'm not able to implement a right solution.

Could you please help me?

Thank you!

Yajith Ajantha said...

Hi,

It's not clear to me what you are trying to do. If you could explain it a bit more, i could look around for some solution..

Feel free to contact me over yajith@gmail.com

cheers..

Marco B. said...

You have mail...thx!!!

bytestyle12 said...

Fat-burning effect of coffee is well-known, but this extract weight loss properties were discovered not long ago. It helps the liver to metabolize body fats and reduce the glucose level in blood. This assists in reducing type 2 diabetes. People who have used this extract did not have to change their eating habits even although a healthy diet and normal exercises are essential for good health.best green coffee bean extract