Art Mason <[EMAIL PROTECTED]> writes:
Hello there,
> Okay, not sure if this is the right forum to ask this question, and if not, I
> apologize in advance. Anyway, here goes: I'm planning on deploying Win2K
> Active Directory this summer across the K-12 school district that I manage,
> and our current content filtering solution (iGear) just plain sucks.
Now, there is something funny about that paragraph. What is Win2K again ? ;)
> Trying
> to insert Mandrake, FreeBSD, and OpenBSD into everywhere possible,
now comes the real interesting part :)
>my
> question is this: Since Win2K AD uses LDAP as its core protocol, can I just
> plug in users on the Win2K DC Server and have SquidGuard running on Cookfire
> authenticate all connection requests via LDAP from the Win2K server if I was
> to implement filtering by username, or would I have to add each user to the
> Squid box manually. Is this even possible, or am I just way off base here.
> Thanks in advance.
you have two different things: authentification (squid level) and
authorization (squidGuard level).
1. Authentification ( at squid level)
you have different approaches for the user authentification with LDAP.
a) squid compiled with direct ldap_authentification
in the squid sources (check the squid-2.3.STABLE4-3mdk.src.rpm for that. You can find
it in the
2nd iso of the firewall distrib) you can find the auth/LDAP directory. You
could modify the squid.spec file and compile the squid_ldap_auth binary and
use it instead of the pam_auth one, that we use in Mandrake Security.
before compiling, you should edit the squid_ldap_auth.c (or create a
patch to be applied while compiling squid) file and modify the #define
SEARCHBASE "ou=peopl,o=nrc.ca" line and adapt it to your own ldap server
configuration.
When you are done with the compilation, copy the squid_ldap_auth binary
somwhere (I put the pam_auth binary in the /usr/ib/squid directory) and
modify the "authenticate_program /usr/lib/squid/pam_auth" line in
/etc/squid/squid.conf file created with our web configuration tool.
the line should looke something like this:
authenticate_program /usr/lib/squid/squid_ldap_auth your.ldap.server port
b) use the squid you already have, compiled with pam and modify the pam
configuration file
the squid you have got with the distribution is compiled with pam, so,
you'll have to define all the users on the squid box. Why ? Simply
because, the /etc/pam.d/squid file lokkes like this:
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
See, service parameter points to the /etc/pam.d/system-auth file:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth sufficient /lib/security/pam_unix.so likeauth nullok md5 shadow
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_unix.so
account required /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_unix.so
So, this file uses the pam_unix.so, the standard unix authentication (with
some shadow support).
So, the idea is to modify this file, or directly the /etc/pam.d/squid
one in order to use ldap. So, use squid to use pam authentification and
then use the pam_ldap package from the cooker distro. You'll have to
recompile it for Mandrake Security (based on a Mandrake 7.2 distro), along
with nss_ldap package.
check out the www.padl.com web site for more info on this.
I have never tried this config yet, so I'll install an ldap server and try
it next week.
2. see the configuration section from www.squidguard.org in order to
configure the src sections (eventually using the userlist reserved word)
3. The last thing to take care off is the communication between Win server
and linux client. I haven't test that yet.
I hope the answer wasn't too long :)
good luck,
--
Florin http://www.mandrakesoft.com
