Below is procedure i used in integrating squid with OpenLDAP, and the Active Directory with the information gathered from numerous google searches, and various links from friends..
Integrating squid with LDAP ( I used OpenLDAP 2.3, on ubuntu 7.10 ) is quite straight-forward..
I used a squid 2.5 on a RHEL4 for this..
Below are the steps i followed..
1. Installing OpenLDAP.
I used the apt to install openldap server ( slapd )..which was quite easy..
I had below in my default configuration, which allows everyone to read from the LDAP db..,without requiring to authenticate.
access to *
by dn="cn=admin,dc=multios,dc=net" write
by * read
2. Installing PHP-LDAP-Admin
I believe it's possible to install PHPLDAPAdmin from apt..but i was too dumb not to check it there, i downloaded it directly from the site and configured it.. I only had to copy
config.php.example to config.php and put the below entries..Was not difficult at all..
$ldapservers->SetValue($i,'server','name','My LDAP Server');
You can put any name for 'My LDAP Server'. It's just a name so you can identify between multiple LDAP servers you can manage from PHPLDAPAdmin panel.
$ldapservers->SetValue($i,'server','host','127.0.0.1');
In my case the LDAP server was running on the same host as PHPLDAPAdmin, therefore the '127.0.0.1' is used.. To point it to a different host, you can simply put the host name-as long as the name resolution is working- or ip.
$ldapservers->SetValue($i,'server','port','389');
I think this is the standard LDAP port.. If your LDAP service is running on a different port only, you will have to change this.
$ldapservers->SetValue($i,'server','base',array('dc=multios,dc=net'));
Here you have to specify the base of your LDAP hierarchy.. This is what i preferred as mine..
Interesting articles i found are
here and
here.
$ldapservers->SetValue($i,'login','dn','cn=admin,dc=multios,dc=net');
This is the LDAP db administrator account..PHPLDAPAdmin use this, if you plan to update LDAP entries using PHPLDAPAdmin ( believe me, you'll need this.. )
You can even explore your active directory LDAP with this too.. Below is my configuration on PHPLDAPAdmin to work with a Active Directory.
$ldapservers->SetValue(2,'server','name','Active Directory');
$ldapservers->SetValue(2,'server','host','192.168.128.141');
$ldapservers->SetValue(2,'server','port','389');
$ldapservers->SetValue(2,'server','base',array('dc=msmgt,dc=local'));
$ldapservers->SetValue(2,'login','dn','cn=Administrator,cn=Users,dc=msmgt,dc=local');
Notice the "2" on each line...You have to assign different values for this, to each connection you configure on PHPLDAPAdmin. At the begining this is set to a "0". You can simply keep on increasing, as it works as some sort of an array -i think..
3. Configuring Squid to use OpenLDAP for authentication..
As i mentioned above, i used squid-2.5 on a RHEL4 box.. There was this "squid_ldap_auth" authentication helper module out of the box. The funny thing is i installed squid 2.6 on ubuntu from apt, and there's no such authenticator.. I searched around a lot, but had no luck finding the exact thing, but i found a lot of similar modules, which -sadly- did not work for me..
Below are the squid settings..
auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "cn=Internet,dc=multios,dc=net" -f uid=%s lnx1.multios.net
This can be tested before actually putting on to the squid.conf in below way..
/usr/lib/squid/squid_ldap_auth -v 3 -b "cn=Internet,dc=multios,dc=net" -f uid=%s lnx1.multios.net
then you have to type a LDAP username and the associated password with a space in between.
If it prints "OK" to the terminal, you are set..Otherwise check the parameters with your setup..
-v - to use LDAP version 3
-b - is the search base. You have to make sure your useraccounts are below this level in the LDAP hierarchy, or else the authenticator will never see your accounts when it's querying the LDAP server.
-f - search filter. LDAP objects have lot of attributes on them. I used posixAccount as user accounts and i chose the "uid" attribute to be used as the username to authenticate with the proxy.. If you wish to use a different attribute you have to specify it here.. Leave =%s part intact, it tells the authenticator to match the user input with the uid.
If you configured your LDAP without allowing anonymous queries, then you will have to specify
-D and -w or -W with appropriate values, ( a username and the password that is allowed to query the LDAP database )
Took me a while to get it to work...but finally used "-v 3" which made it work. Quite helpful information was found from here.
Worked quite fine..
I wanted to have a web based interface, so that the users them selves can change their passwords..After a bit of googling around found this nice php program developed by Karyl F. Stein, which does exactly the same thing.. It is no longer maintained though, but it worked nicely for me..
This requires that you allow authenticated users to change their password on the LDAP. Below on the slapd.conf did it for me.
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=multios,dc=net" write
by anonymous auth
by self write
by * none
If i recall correctly, i didn't have to put it manually, it was on the default settings.
To configure phpLdapPasswd i had to make the below changes to the config.php
$LDAPSERVER = "ldap://lnx1.multios.net/";
$LDAPPORT = 389;
$LDAPBASEDN = "dc=multios,dc=net";
This program has a nice feature, if a user forgets the password, they can request a reset, and the new auto-generated password is e-mailed to them, provided that your users have their email address on the LDAP db.
You have to put the below settings on config.php to make it work, but i didn't test this yet.
Default attribute it searches is "mail", but if you want to change it, i believe you can set it from the config.php as below.
$RESETBINDDN = "cn=admin,dc=multios,dc=net";
$RESETBINDPW = "redhat";
$MAILATTRIBUTE = mail;
Finally i wanted to integrate squid with an Active Directory Server, so in a MS Windows environment, user/password information can be centrally handled from the domain controller it-self.
I believe there are two methods for this, or at least i have tried two methods successfully..
1. To use ldap,kerberos, smb-winbind, ntlm_auth
This method, i used some time back and was a little difficult to get it to work..
It depends on all the above components, and even the system times of the squid server and the Active Directory has to be the same, for this to work.. But i think, it's possible to achieve a single-sign-on setup for the proxy with this..
May be i'll post the steps i took for this on a separate post..
2. To use ldap, squid_ldap_auth
This method is quite straight-forward, and comparatively easier than the winbind method. All you have to do is put the below, in the squid.conf for auth_param
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=msmgt,dc=local" -D "cn=Administrator,cn=Users,dc=msmgt,dc=local" -w "vcs123" -f sAMAccountName=%s -h ad.multios.net
A very helpful guide is
here.
-b as explained above is the search base. My Active Directory base was msmgt.local
-D is used to authenticate on to the LDAP as Active Directory LDAP service doesn't allow anonymous queries. I used the domain Administrator password, which is not advisable..You can simply create a user on Active Directory just for this..user doesn't need to have administrative privileges.
-w is the Active Directory Administrator password.. It is possible to put this on to a separate file and store the password there with -W, which i didn't try.
-f as above is the search filter "sAMAccountName" is an attribute under which the Active Directory login name is kept.
-h specifies the Active Directory hostname, ip should work here too..
All this worked quite nicely and comparatively easier with other methods..
I have yet to try out the helper module "squid_ldap_group" and the external_acls on squid..
I will be posting the findings later on, once i try that out..
till then, cheers..!