Ahi van un par de howto, espero te sirvan de algo
Autentificacion de Squid contra Active Directory PDF
Imprimir
E-Mail
Origen: Pablo Sarubbi - Efraim Wainerman
martes, 06 de marzo de 2007
En este articulo veremos una de las formas de instalar y configurar
Squid para que autentique contra un servidor Windows 2003 con Active
Directory.
Para ello elegimos la version Etch de Debian. Una vez instalada y
actualizada procedemos a instalar el software complementario.
Mediante el uso del queridisimo comando apt-get install:
* squid
* squid-common
* samba-common
* libsmbclient
* smbclient
* libkrb53
* krb5-kdc
* krb5-config
* krb5-user
* winbind
Despues de asegurarnos que todos estos paquetes quedaron instalados
tenemos que tocar un par de archivos de configuracion:
/etc/squid/squid.conf
# Active Directory configuration
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 2 hours
# Solo permitir usar el proxy a los usuarios autenticados
acl authenticated_users proxy_auth REQUIRED
...
http_access allow authenticated_users
/etc/samba/smb.conf
[global]
netbios name = proxyserver
realm = DOMAIN.COM
workgroup = DOMAIN
security = ADS
password server = dc01.domain.com dc02.domain.com dc03.domain.com
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind use default domain = yes
encrypt passwords = yes
log level = 3 passdb:5 auth:10 winbind:5
/etc/krb5.conf
[libdefaults]
ticket_lifetime = 600
default_realm = DOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOMAIN.COM = {
kdc = dc01.domain.com:88
kdc = dc02.domain.com:88
kdc = dc03.domain.com:88
admin_server = dc01.domain.com:749
default_domain = DOMAIN.COM
}
[domain_realm]
.domain.com = dc01.domain.com
domain.com = dc01.domain.com
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
/etc/pam.d/samba
auth required pam_nologin.so
auth required pam_stack.so service=system-auth-winbind
account required pam_stack.so service=system-auth-winbind
session required pam_stack.so service=system-auth-winbind
password required pam_stack.so service=system-auth-winbind
/etc/pam.d/squid
auth required /lib/security/pam_stack.so service=system-auth-winbind
account required /lib/security/pam_stack.so service=system-auth-winbind
/etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
Luego, y esto es muy importante, con un usuario de administrador de la
red, ejecutamos:
net ads join Servers/Linux -U AdminAcct -S dc01.domain.com
En teoria esto seria todo.
Suerte
Links:
1. http://www.squid-cache.org/Doc/FAQ/FAQ_long.html#winbind
2. http://info.ccone.at/INFO/Samba-2.2.12/winbindd.8.html
3. http://acd.ucar.edu/~fredrick/linux/samba3/
4. http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain
Nota 1:
root# wbinfo -u --> para listar todos los usuarios de la red
root# wbinfo -g --> para listar todos los grupos de la red
root# getent passwd --> muestra los datos completos de cada usuario
root# getent group --> muestra los datos completos de cada grupo
Configuring Squid on Linux to authenticate with Active Directory
Introduction
PaperCut Internet Charging and Quotas requires a proxy server to
manage Internet connectivity and log internet usage by your users. If
you would like to use Squid on Linux/Unix as your proxy with PaperCut,
then your Squid proxy needs to be configured to authenticate users
with Windows. This allows Squid to log usernames in the Squid access
logs and allows only users with remaining Internet Quota access to the
Internet. (If you would prefer to run Squid on Windows, then read our
article Installing and configuring SquidNT. Setting up the
authentication with the windows domain is considerably simpler than
configuring LDAP on Linux/Unix)
This document describes how to configure Squid to authenticate with a
Windows Active Directory and only allow Internet Access to users that
are members of a particular Windows security/domain group.
Microsoft Active Directory is an LDAP v3 compliant directory and
therefore can be used as a mechanism to authenticate users. Squid
supports LDAP v3 and an authentication method. You can achieve similar
results by using Samba and Winbind, however that process is much more
involved and requires the Squid server machine to become a member of
the domain.
Using the Squid LDAP authentication helpers, you can achieve Active
Directory user authentication with some simple Squid configuration.
There is no need to implement full Samba Winbind integration.
You will require Squid 2.5 or greater (with LDAP helpers). Some
information on these modules can be found here:
* http://www.die.net/doc/linux/man/man8/squid_ldap_auth.8.html
* http://www.die.net/doc/linux/man/man8/squid_ldap_group.8.html
If your Squid installation has LDAP support compiled in, you will find
2 files in "/usr/lib/squid/" (or you equivalent location where Squid
is installed)
* ldap_auth (or sometime named squid_ldap_auth)
* squid_ldap_group
These files perform LDAP authentication and group membership checks
against and LDAP server of your choice. E.g. Active Directory on
Windows, or OpenLDAP (or other LDAP server on) Novell, Linux, Solaris,
etc.
Configuring Squid LDAP Authentication
The first step is to configure Squid to authenticate
usernames/passwords with the Active Directory. You will need to open
your Squid configuration file (squid.conf) and make the following
changes:
Find the auth param section of the config file (TAG: auth_param), and
change the auth param basic program line to look like this. (Indented
text indicates one line)
auth_param basic program /usr/lib/squid/ldap_auth -R
-b "dc=vm-domain,dc=papercut,dc=com"
-D "cn=Administrator,cn=Users,dc=your,dc=domain,dc=com"
-w "password" -f sAMAccountName=%s -h 192.168.1.75
auth_param basic children 5
auth_param basic realm Your Organisation Name
auth_param basic credentialsttl 5 minutes
These settings tell Squid authenticate names/passwords in the Active Directory.
* The -b option indicated the LDAP base distinguished name of your
domain. E.g. your.domain.com would be dc=your,dc=domain,dc=com
* The –D option indicates the user that is used to perform the
LDAP query. (e.g an Administrator. This example uses the built-in
Administrator user, however you can use another user of your choice.
* The –w option is the password for the user specified in the –D
option. For better security you can store the password in a file and
use the –W /path/to/password_file syntax instead
* -h is used to indicate the LDAP server to connect to. E.g. your
domain controller.
* -R is needed to make Squid authenticate against Windows AD
* The –f option is the LDAP query used to lookup the user. In the
above example, sAMAccountName=%s, will match if the user’s Windows
logon name matches the username entered when prompted by Squid. You
can search any value in the LDAP filter query. You may need to use an
LDAP search query tool to help get the syntax correct for the –f
search filter.
* The %s is replaced with what the user enters as their username.
Remember to restart Squid to make these changes to come into effect.
Configuring Group Based Internet Access
Once the user has authenticated, you can define which users have
access to network resources (i.e. the internet) using Squid access
control lists (ACLs). Squid ACLs are a complex topic and allow very
sophisticated control. This document only describes the basic
configuration required to allow Active Directory / LDAP group checking
- a requirement for PaperCut to deny/allow internet access. For
further information on ACL syntax and configuration see the Squid
documentation and FAQ.
In the Squid configuration file, find the external ACL section (TAG:
external_acl_type) and specify the following external ACL (Inetgroup
is arbitrary, make this anything appropriate). Note that this is all
on one line.
external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R
-b "dc=vm-domain,dc=papercut,dc=com"
-D "cn=Administrator,cn=Users,dc=your,dc=domain,dc=com"
-w "password"
-f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=users,dc=your,dc=domain,dc=com))"
-h 192.168.1.75
Most of this is similar to the LDAP authentication section above. The
variable %v relates to the username and %a is the group given in the
ACL (below). Ensure that the "memberof" filter is adjusted to where
your LDAP internet group is defined. E.g. If you have an
organizational unit call "you.domain.com/students", and this contains
a group called "InternetAccessGroup", then the "memberof" part of the
filter should be: memberof=cn=%a,ou=students,dc=your,dc=domain,dc=com
Then enter the values below in the ACL area (Tag: acl) of squid.conf,
modifying your internal subnet as appropriate.
acl localnet proxy_auth REQUIRED src 192.168.1.0/24
acl InetAccess external InetGroup InternetAccessGroup
The ACL names are InetAccess, they are arbitrary and can be changed to
suit your environment. InetGroup is the the External ACL name created
above. The Active Directory groups that allow internet access is
InternetAccessGroup. This is the name of the matching group in the
Active Directory.
Now that you have completed the ACL you can reference them in the
http_access area of Squid.conf:
http_access allow InetAccess
You will need to restart Squid for these changes to come into effect.
You should then be able to try to access the Internet using Squid, and
should be prompted for your Windows username and password. Only
authenticated users AND users belonging to the "InternetAccessGroup"
will be allowed access to the internet. This test by manually adding
and removing users from the group using the Active Directory user
management tools. The users should be granted/denied access depending
on their AD group membership.
NOTE: If you have the need to deny Internet access for members of
another Windows security group, you can set up a "InternetDenyGroup"
the same way as above and then define an InetDeny ACL. You can then
specify a http_access deny rule as follows:
http_access deny InetDeny
Acknowledgments
Thanks to Ryan Brinch (Network Administrator, Linwood College, New
Zealand) for his assistance helping PaperCut Software write this
guide. Ryan would also like to thank Stephen Fergusson, for helping in
the reviewing and checking this document.
If you'd like to know more about our print management and print
accounting program please visit our home page.
keywords: squid, LDAP, linux proxy, papercut squid intergration, proxy
net quotas
Categories: ProxyServers
On 4/16/09, katy <[email protected]> wrote:
> Saludos:
>
> Alguien sabe cómo se pudiera lograr que el squid autentifique con los
> mismos usuarios de dominio de W. Estuve leyendo una documentación que me
> dieron y dice que puede ser posible pero no dice nada más, es un
> documento de 1999 y no tengo internet ó a quien acudir para poder
> obtener documentación sobre esto. Por favor si alguien sabe algo de esto
> me sería de gran ayuda.
>
> Muchas Gracias.
>
>
> _______________________________________________
> Cancelar suscripción
> https://listas.softwarelibre.cu/mailman/listinfo/linux-l
> Buscar en el archivo
> http://listas.softwarelibre.cu/buscar/linux-l
>
--
----
Mauricio López
Linux User: 373384
" ...ich hab euch etwas mitgebracht
ein heller Schein am Firmament
Mein Herz brennt"
_______________________________________________
Cancelar suscripción
https://listas.softwarelibre.cu/mailman/listinfo/linux-l
Buscar en el archivo
http://listas.softwarelibre.cu/buscar/linux-l
