|
 |
|
| Squid With AD Authentication |
|
 |
|
|
|
Squid is the most popular proxy server in the industry. Along with caching capabilities, squid includes access control lists (ACLs) to restrict users from accessing various internet resources. Although, IP address and MAC based ACLs are possible to configure in Squid. But its difficult to manage ACLs in DHCP environment because IP address keeps on changing with DHCP lease expiry. Secondly, IP address or MAC based restrictions can restrict the user on the basis of his source IP/MAC address. But in case, user logs-in from some different client machine then ACL will get changed as per the new source IP/MAC address. Similarly, if two users share the same machine then it would be hard to apply restrictions for individual user.
To tacle this problem, administrators can configure their squid proxy server to authentication with some central credential store. Credential store can be of basic authentication, similar to HTTP/apache. But with the increasing use of active directory servers in the companies, same credential store can be used by squid to authenticate its users. In this way, users will not have to remember multiple passwords and they will not receive an authentication prompt while accessing any internet website.
In addition to this, by configuring squid to authenticate users against active directory server, ACLs can be configured on group basis. This makes it easier for administrators to grant a user with more rights in squid. This can be done by simply moving his ID from one group to another in active directory, without making any changes to squid configuration. Moreover, administrator will be able to fetch user based reports rather IP address based reports.
Such setup requires configuration of kerberos, ntp, squid and winbind/samba. NTP is required to sync the time of proxy server with active directory server. If there is a time mismatch of more than 5 minutes, then squid will not be able to authenticate you aganist active directory. Following configuration steps needs to be followed in order to achieve squid integration with active directory.
Below configuration was carried out on RHEL 5.0 and active directory was running on Windows 2003 server:
Configure "/etc/hosts" file in proxy server to define its FQDN and also put FQDN of active directory server
Now open up "/etc/krb5.conf" to configure few parameters as shown below:
Now sync the clocks of both proxy and AD servers as below. Although, you may set the clocks manually and skip this step of synchronising clocks but its always better to leave your worries to NTP server. Let us sync clock or proxy server first:
| Configure NTP on Proxy Server
|
|
|
And then, for windows server:
| Configure NTP on Windows Server
|
|
|
Now edit samba configuration as shown below:
After saving the above file, start the samba and winbind services as shown below:
| Start Samba and Winbind Services
|
|
|
Now join your proxy server to active directory domain.
| Join Proxy into Active Directory Domain
|
|
|
Incase you are trying this setup by putting proxy server behind the firewall in DMZ zone with your active directory server in LAN zone of firewall. Then be sure that proxy server can access active directory server at port number 88 (udp) for kerberos, 389 (udp & tcp) for LDAP, 53 (udp & tcp) for DNS, 445 (tcp) and 139 (tcp) for microsoft-ds and netbios respectively.
Now from linux prompt execute following commands:
| Verify Connections & Fetch user and group lists
|
|
|
Below is the final squid configuration with active directory authentication and ACLs based on AD groups.
| File:/etc/squid/squid.conf
|
|
|
To test out above set-up, open internet browser from some windows machine that is joined in active directory domain. And configure proxy settings into the internet brower. Now try to download some filetype that is blocked in "filetype.txt" file under squid ACLs. If your ID is not present in "test" group of AD, then you will hit an access denied page . Now, close the browser and move your ID from other group to "test" group (as per above example) and try the same procedure again. You should be able to download the file. Similar way, other ACLs can be tested out.
Feedback/Suggestions: feedback@torridnet.com
|
|
|
|
| |
|
Knowledge Center 
