Re: [squid-users] active directory

From: D & E Radel <radel@dont-contact.us>
Date: Wed, 01 Aug 2007 09:38:06 +1200

UK SquidUser (AXA-TECH-UK) wrote:
> hi, i'm trying to migrate to a new platform of squid proxy servers using
> active directory. I can't seem to find any pointers on configuring
> squid/kerberos/samba to use multiple domains for authentication.. i've
> configured a test box to point through a single domain using ad fine,
> but i'm unsure if i can actually use cross domain authentication... can
> anybody point me in the right direction please....
> Kev.
>
> TS Data Networks
> AXA Tech

I use the following script for ldap authentication from multiple domains. This should be modifiable
for other forms of authentication:

#============================================
#!/bin/sh

# This script checks a username and password provided by squid
# against 2 domains. If the creditials are accepted by either
# domain, output "OK. Otherwise, output "ERR".

# read from stdin until EOF is received
while read INP; do

   # Use username and password to authenticate against FIRST domain
   DOMAIN1=`echo $INP | /usr/lib/squid/ldap_auth -R -b "dc=first,dc=my,dc=domain,dc=com" -D
"cn=Administrator,cn=Users,dc=second,dc=my,dc=domain,dc=com" -w "admin_password" -f
sAMAccountName=%s -h 192.168.1.1`

   # User username and password to authenticate against SECOND domain
   DOMAIN2=`echo $INP | /usr/lib/squid/ldap_auth -R -b "dc=second,dc=my,dc=domain,dc=com" -D
"cn=Administrator,cn=Users,dc=second,dc=my,dc=domain,dc=com" -w "admin_password" -f
sAMAccountName=%s -h 192.168.1.2`

   # If username and password is correct for either domain, output "OK"
   if [ "$DOMAIN1" == "OK" ]; then
     echo "OK"
   elif [ "$DOMAIN2" == "OK" ]; then
     echo "OK"
   else
     echo "ERR"
  fi
done
#============================================

I then call this from my squid.conf with:

#============================================
# Authenticate against TWO domains using LDAP, not SAMBA
#------------------------------------------------------------
# Uses the custom script called multi_domains.sh which authenticates
# against more than one domain by making multiple calls to the standard
# /usr/lib/squid/ldap_auth program and evaluating the result. The script
# passed either an "OK" or an "ERR" back to Squid.

auth_param basic program /etc/squid/multi_domains.sh
auth_param basic children 5
auth_param basic realm MyCompany Proxy
auth_param basic credentialsttl 5 hours
#============================================

I hope that this is useful to you.

Cheers,
Dietrich
Received on Tue Jul 31 2007 - 15:38:20 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:04 MDT