Subscribe |
Follow meYou can use you Active Directory user accounts for authenticating in Squid. You can also the Active Directory groups to group the access control in Squid. This article describes how to configure Squid to use the Active Directory user accounts for authentication and groups for access control.
We will use Winbind to integrate Active Directory into Squid. See Active Directory Integration with Samba for instructions on how to configure Winbind.
Authenticating using Active Directory
1. Edit the file /etc/squid/squid.conf and add the lines below.auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl authenticated proxy_auth REQUIRED
The first section of auth_param configures NTLM browser authentication (works in Internet Explorer) to authenticate using Samba. The second section of auth_param does the same but works for basic browser authentication.
The last line defines an access control list element named authenticated which can be used in any access control list. Below is a simple access control list which allows only authenticated users to have access to the Squid cache.
http_access allow authenticated
2. Restart the squid service. Learn how to restart services.
3. Try browsing the web via the proxy server, you should be asked to authenticate. Learn how to configure Firefox or Internet Explorer to use a proxy server.Using Active Directory Security Groups
You can use the Active Directory Security Group in your access control list. Distribution group will not work here.
1. Edit the file /etc/squid/squid.conf and add the lines below.external_acl_type ad_group %LOGIN /usr/lib/squid/wbinfo_group.pl acl banned_users external ad_group BannedUsers
The first line defines an external acl type named ad_group which points to a Perl program that accepts a user name and group name parameter and returns Ok if the user name belongs in a specified group name.
The second line defines an access control list element named banned_users which specifies the Active Directory group BannedUsers. Below is an example in using the banned_users acl.
http_access deny banned_users
2. Restart the squid service. Learn how to restart services.
3. Try browsing the web via the proxy server. Learn how to configure Firefox or Internet Explorer to use a proxy server.Related Pages
Visit the forum to ask for help or to give a comment.
***
Posted on 11/2/2008 and last updated on 11/6/2009
Filed under Squid Proxy Server
December 1st, 2008 at 3:37 pm
Thanks for that worked great, the pictures helped alot
March 3rd, 2009 at 5:08 pm
Hello,
i used the howto all working fine, but when ever we try to attach or upload i am getting login pop up windows, i am giving correct info then to nothing happens browser just hangs. can you please let me know what the cause is
March 4th, 2009 at 10:05 am
Hi,
I configured it but i m getting the following error.
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
I did the setup in RHEL5
Please help me to resolve this
April 24th, 2009 at 4:55 am
HI Experts ,
I configured it look like your configuration .But it’s seem doesn’t work .I added users who to be banned into BannedUsers but it’s still working and no users to be denied .Please kindly trying to help me .
Thanks