You can use you Active Directory user accounts for authenticating in Squid. You can also the Active Directory groups to group the access control in Squid. This article describes how to configure Squid to use the Active Directory user accounts for authentication and groups for access control.

We will use Winbind to integrate Active Directory into Squid. See Active Directory Integration with Samba for instructions on how to configure Winbind.

Authenticating using Active Directory

Edit squid.conf1. Edit the file /etc/squid/squid.conf and add the lines below.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl authenticated proxy_auth REQUIRED

The first section of auth_param configures NTLM browser authentication (works in Internet Explorer) to authenticate using Samba. The second section of auth_param does the same but works for basic browser authentication.

The last line defines an access control list element named authenticated which can be used in any access control list. Below is a simple access control list which allows only authenticated users to have access to the Squid cache.

http_access allow authenticated
Service Configuration2. Restart the squid service. Learn how to restart services.
Firefox Authentication3. Try browsing the web via the proxy server, you should be asked to authenticate. Learn how to configure Firefox or Internet Explorer to use a proxy server.

Using Active Directory Security Groups

You can use the Active Directory Security Group in your access control list. Distribution group will not work here.

Edit squid.conf1. Edit the file /etc/squid/squid.conf and add the lines below.
external_acl_type ad_group %LOGIN /usr/lib/squid/wbinfo_group.pl
acl banned_users external ad_group BannedUsers

The first line defines an external acl type named ad_group which points to a Perl program that accepts a user name and group name parameter and returns Ok if the user name belongs in a specified group name.

The second line defines an access control list element named banned_users which specifies the Active Directory group BannedUsers. Below is an example in using the banned_users acl.

http_access deny banned_users
Service Configuration2. Restart the squid service. Learn how to restart services.

Related Pages

Visit the forum to ask for help or to give a comment.

***
Posted on 11/2/2008 and last updated on 11/6/2009
Filed under Squid Proxy Server