- 论坛徽章:
- 0
|
Configuring Squid Proxy To Authenticate With Active Directory 不一定要加入AD的,其实我更愿意推荐另外一种认证机制:LDAP。
Microsoft AD 是一种LDAP v3 兼容的目录服务,Squid 也支持LDAP v3. 所有我们可以用LDAP得到与用Samba / Winbind同样的结果,而且不用象上面一样还要把机器加入AD。
这需要squid 2.5 或更高版本 (with Ldap helpers).
相关信息可以参考:
http://kb.papercutsoftware.com/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory
Configuring Squid LDAP Authentication
The first step is to configure Squid to authenticate usernames/passwords with the Active Directory. You will need to open your Squid configuration file (squid.conf) and make the following changes:
Find the auth param section of the config file (TAG: auth_param), and change the auth param basic program line to look like this. (Indented text indicates one line)
auth_param basic program /usr/lib/squid/ldap_auth -R
-b "dc=vm-domain,dc=papercut,dc=biz"
-D "cn=Administrator,cn=Users,dc=your,dc=domain,dc=com"
-w "password" -f sAMAccountName=%s -h 192.168.1.75
auth_param basic children 5
auth_param basic realm Your Organisation Name
auth_param basic credentialsttl 5 minutes
These settings tell Squid authenticate names/passwords in the Active Directory.
The -b option indicated the LDAP base distinguished name of your domain. E.g. your.domain.com would be dc=your,dc=domain,dc=com
The –D option indicates the user that is used to perform the LDAP query. (e.g an Administrator. This example uses the built-in Administrator user, however you can use another user of your choice.
The –w option is the password for the user specified in the –D option. For better security you can store the password in a file and use the –W /path/to/password_file syntax instead
-h is used to indicate the LDAP server to connect to. E.g. your domain controller.
-R is needed to make Squid authenticate against Windows AD
The –f option is the LDAP query used to lookup the user. In the above example, sAMAccountName=%s, will match if the user’s Windows logon name matches the username entered when prompted by Squid. You can search any value in the LDAP filter query. You may need to use an LDAP search query tool to help get the syntax correct for the –f search filter.
The %s is replaced with what the user enters as their username.
Remember to restart Squid to make these changes to come into effect.
Configuring Group Based Internet Access
Once the user has authenticated, you can define which users have access to network resources (i.e. the internet) using Squid access control lists (ACLs). Squid ACLs are a complex topic and allow very sophisticated control. This document only describes the basic configuration required to allow Active Directory / LDAP group checking - a requirement for PaperCut to deny/allow internet access. For further information on ACL syntax and configuration see the Squid documentation and FAQ.
In the Squid configuration file, find the external ACL section (TAG: external_acl_type) and specify the following external ACL (Inetgroup is arbitrary, make this anything appropriate). Note that this is all on one line.
external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R
-b "dc=vm-domain,dc=papercut,dc=biz"
-D "cn=Administrator,cn=Users,dc=your,dc=domain,dc=com"
-w "password"
-f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,dc=your,dc=domain,dc=com))"
-h 192.168.1.75
Most of this is similar to the LDAP authentication section above. The variable %v relates to the username and %a is the group given in the ACL (below). Ensure that the "memberof" filter is adjusted to where your LDAP internet group is defined. E.g. If you have an organizational unit call "you.domain.com/students", and this contains a group called "InternetAccessGroup", then the "memberof" part of the filter should be: memberof=cn=%a,ou=students,dc=your,dc=domain,dc=com
Then enter the values below in the ACL area (Tag: acl) of squid.conf, modifying your internal subnet as appropriate.
acl localnet proxy_auth REQUIRED src 192.168.1.0/24
acl InetAccess external InetGroup InternetAccessGroup
The ACL names are InetAccess, they are arbitrary and can be changed to suit your environment. InetGroup is the the External ACL name created above. The Active Directory groups that allow internet access is InternetAccessGroup. This is the name of the matching group in the Active Directory.
Now that you have completed the ACL you can reference them in the http_access area of Squid.conf:
http_access allow InetAccess
You will need to restart Squid for these changes to come into effect.
You should then be able to try to access the Internet using Squid, and should be prompted for your Windows username and password. Only authenticated users AND users belonging to the "InternetAccessGroup" will be allowed access to the internet. This test by manually adding and removing users from the group using the Active Directory user management tools. The users should be granted/denied access depending on their AD group membership.
NOTE: If you have the need to deny Internet access for members of another Windows security group, you can set up a "InternetDenyGroup" the same way as above and then define an InetDeny ACL. You can then specify a http_access deny rule as follows:
http_access deny InetDeny
Acknowledgements
Thanks to Ryan Brinch (Network Administrator, Linwood College, New Zealand) for his assistance helping PaperCut Software write this guide. Ryan would also like to thank Stephen Fergusson, for helping in the reviewing and checking this document.
试试再告诉大家结果。
上面所写的方法没有弹出对话框要你输入用户名及密码,LDAP 可能要,试试才知.
[ 本帖最后由 seewo 于 2006-8-25 17:42 编辑 ] |
|