[Legacy] Configuring Squid on Linux to authenticate with Active Directory

AVAILABLE TO CUSTOMERS ON:

Introduction

PaperCut Internet Charging and Quotas requires a proxy server to manage Internet connectivity and log internet usage by your users. If you would like to use Squid on Linux/Unix as your proxy with PaperCut, then your Squid proxy needs to be configured to authenticate users with Windows. This allows Squid to log usernames in the Squid access logs and allows only users with remaining Internet Quota access to the Internet. (If you would prefer to run Squid on Windows, then read our article [Legacy] Installing and configuring SquidNT. Setting up the authentication with the windows domain is considerably simpler than configuring LDAP on Linux/Unix)

This document describes how to configure Squid to authenticate with a Windows Active Directory and only allow Internet Access to users that are members of a particular Windows security/domain group.

Microsoft Active Directory is an LDAP v3 compliant directory and therefore can be used as a mechanism to authenticate users. Squid supports LDAP v3 and an authentication method. You can achieve similar results by using Samba and Winbind, however that process is much more involved and requires the Squid server machine to become a member of the domain.

Using the Squid LDAP authentication helpers, you can achieve Active Directory user authentication with some simple Squid configuration. There is no need to implement full Samba Winbind integration.

You will require Squid 2.5 or greater (with LDAP helpers). Some information on these modules can be found here:

• http://www.die.net/doc/linux/man/man8/squid _ldap_auth.8.html
• http://www.die.net/doc/linux/man/man8/squid _ldap_group.8.html

If your Squid installation has LDAP support compiled in, you will find 2 files in “/usr/lib/squid/” (or you equivalent location where Squid is installed)

• ldap_auth (or sometime named squid_ldap_auth)
• squid_ldap_group

These files perform LDAP authentication and group membership checks against and LDAP server of your choice. E.g. Active Directory on Windows, or OpenLDAP (or other LDAP server on) Novell, Linux, Solaris, etc.

Configuring Squid LDAP Authentication

The first step is to configure Squid to authenticate usernames/passwords with the Active Directory. You will need to open your Squid configuration file (squid.conf) and make the following changes:

Find the auth param section of the config file (TAG: auth_param), and change the auth param basic program line to look like this. (Indented text indicates one line)

   auth_param basic program /usr/lib/squid/ldap_auth -R 
       -b “dc=vm-domain,dc=papercut,dc=com” 
       -D “cn=Administrator,cn=Users,dc=your,dc=domain,dc=com”
       -w “password” -f sAMAccountName=%s -h 192.168.1.75
   auth_param basic children 5
   auth_param basic realm Your Organisation Name
   auth_param basic credentialsttl 5 minutes

These settings tell Squid authenticate names/passwords in the Active Directory.

• The -b option indicated the LDAP base distinguished name of your domain. E.g. your.domain.com would be dc=your,dc=domain,dc=com

• The –D option indicates the user that is used to perform the LDAP query. (e.g an Administrator. This example uses the built-in Administrator user, however you can use another user of your choice.

• The –w option is the password for the user specified in the –D option. For better security you can store the password in a file and use the –W /path/to/password_file syntax instead

• -h is used to indicate the LDAP server to connect to. E.g. your domain controller.

• -R is needed to make Squid authenticate against Windows AD

• The –f option is the LDAP query used to lookup the user. In the above example, sAMAccountName=%s, will match if the user’s Windows logon name matches the username entered when prompted by Squid. You can search any value in the LDAP filter query. You may need to use an LDAP search query tool to help get the syntax correct for the –f search filter.

• The %s is replaced with what the user enters as their username.

Remember to restart Squid to make these changes to come into effect.

Configuring Group Based Internet Access

Once the user has authenticated, you can define which users have access to network resources (i.e. the internet) using Squid access control lists (ACLs). Squid ACLs are a complex topic and allow very sophisticated control. This document only describes the basic configuration required to allow Active Directory / LDAP group checking - a requirement for PaperCut to deny/allow internet access. For further information on ACL syntax and configuration see the Squid documentation and FAQ.

In the Squid configuration file, find the external ACL section (TAG: external_acl_type) and specify the following external ACL (Inetgroup is arbitrary, make this anything appropriate). Note that this is all on one line.

   external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R 
       -b “dc=vm-domain,dc=papercut,dc=com” 
       -D “cn=Administrator,cn=Users,dc=your,dc=domain,dc=com”
       -w “password” 
       -f “(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=users,dc=your,dc=domain,dc=com))” 
       -h 192.168.1.75

Most of this is similar to the LDAP authentication section above. The variable %v relates to the username and %a is the group given in the ACL (below). Ensure that the “memberof” filter is adjusted to where your LDAP internet group is defined. E.g. If you have an organizational unit call “you.domain.com/students”, and this contains a group called “InternetAccessGroup”, then the “memberof” part of the filter should be: memberof=cn=%a,ou=students,dc=your,dc=domain,dc=com

Then enter the values below in the ACL area (Tag: acl) of squid.conf, modifying your internal subnet as appropriate.

   acl localnet proxy_auth REQUIRED src 192.168.1.0/24
acl InetAccess external InetGroup InternetAccessGroup

The ACL names are InetAccess, they are arbitrary and can be changed to suit your environment. InetGroup is the the External ACL name created above. The Active Directory groups that allow internet access is InternetAccessGroup. This is the name of the matching group in the Active Directory.

Now that you have completed the ACL you can reference them in the http_access area of Squid.conf:

   http_access allow InetAccess

You will need to restart Squid for these changes to come into effect.

You should then be able to try to access the Internet using Squid, and should be prompted for your Windows username and password. Only authenticated users AND users belonging to the “InternetAccessGroup” will be allowed access to the internet. This test by manually adding and removing users from the group using the Active Directory user management tools. The users should be granted/denied access depending on their AD group membership.

NOTE: If you have the need to deny Internet access for members of another Windows security group, you can set up a “InternetDenyGroup” the same way as above and then define an InetDeny ACL. You can then specify a http_access deny rule as follows:

   http_access deny InetDeny

Acknowledgments

Thanks to Ryan Brinch (Network Administrator, Linwood College, New Zealand) for his assistance helping PaperCut Software write this guide. Ryan would also like to thank Stephen Fergusson, for helping in the reviewing and checking this document.

If you’d like to know more about our print management and print accounting program please visit our home page.