>From my experience.
1. First of all, install Squid 2.5.
2. For authentication, you should use
squid_ldap_auth, as told by other
people in this list.
3. Next, you want to verify if the user
that is authenticated by squid_ldap_auth
is authorised to retrieve the home page.
For that you should use squid_ldap_group.
4. Read the man pages for squid_ldap_auth and
squid_ldap_group.
After all, lets see an example:
1) Configuring OpenLDAP.
You should go to /etc/openldap and edit both
slapd.conf and ldap.conf; I am using OpenLDAP
version 2.1.16, from Conectiva Linux 9, and I
have all my users under ou=Users,o=Company;
all my groups are under ou=Groups,o=Company.
------ slapd.conf -------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
TLSCertificateFile /etc/openldap/ssl/dummy.crt
TLSCertificateKeyFile /etc/openldap/ssl/dummy.key
allow bind_v2
database bdb
suffix "o=Company"
rootdn "cn=admin,o=Company"
rootpw {MD5}asdjfadjasja==
directory /var/lib/openldap-data
index cn,sn,uid,rid pres,eq
index objectClass,uidNumber,gidNumber,memberUid eq
index mail,mailAlternateAddress eq
lastmod on
access to *
by dn="cn=admin,o=Company" write
by dn="cn=root,ou=Users,o=Company" write
by self write
by * read
------ ldap.conf ------
sizelimit 1000
timelimit 15
deref never
host localhost
base o=Company
nss_base_passwd o=Company?sub
nss_base_shadow o=Company?sub
nss_base_group ou=Groups,o=Company?one
ssl no
pam_password md5
------- end ---------
Please, refer to LDAP docs about the use of
ldap.conf and slapd.conf; look at openldap.org
for that. Also, it is a very good idea to remove
/etc/ldap.conf and create a hard link to
/etc/openldap/ldap.conf, like this:
# rm -f /etc/ldap.conf
# ln /etc/openldap/ldap.conf /etc/ldap.conf
So, for now, our LDAP database is configured.
Start the server and fill the database with
data.
Next, lets configure squid for authentication
agains LDAP. Edit /etc/squid/squid.conf and
search for "auth_param". I am using (the first
and second lines are actually the same line
but my mail client insists in wrapping them:):
auth_param basic program /usr/lib/squid/squid_ldap_auth
-u cn -b ou=Users,o=Company -f (uid=%s) -h localhost
auth_param basic children 5
auth_param basic realm Proxy HTTP Company
auth_param basic credentialsttl 10 minutes
And some lines later:
acl LAN src 192.168.1.0/24
acl Autorized proxy_auth REQUIRED
http_access allow Autorized
Save and start squid. From now on, squid will
ask for you user/password and authenticates it
against LDAP.
Now for squid_ldap_group, I have not the
experience, so refer to Nordstrom and Flavio
Pescuma, they are the ones.
-- Bye, Fernando Maciel Souto Maior fernando@araujo.com.br http://www.araujo.com.br +55+31 3270-5886Received on Wed May 14 2003 - 09:40:06 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:40 MST