DaZZa,
I use squid and squidGuard for proxy/blocking. I run samba back-end into
LDAP, and use my LDAP server as authentication for PROXY use.
For LDAP authentication I used the following. I expect that you could do
the same for AD integration.
In my squid.conf
=-=-
## Added for LDAP authentication to userpassword
auth_param basic program /usr/share/squid/bin/proxyauth.pl
auth_param basic realm Squid proxy-caching web server
=-=-
The Perl script is as follows, you will need to add full DN for AD:
=-=-=
#!/usr/bin/perl
#
#
# Simple perl script to verify userID and pass
use Net::LDAP;
#use Net::LDAP::LDIF;
#use Net::LDAP::Entry;
#$server = "localhost";
#$basedn = "dc=myorg,dc=org";
$|=1; # someone said this was important
while ( <> ) {
$input = $_;
chomp($input);
($uid, $pass) = split/ /,$input;
$binddn = "uid=" . $uid . ",ou=People,dc=myorg,dc=org";
$ldap = Net::LDAP->new('localhost') or die "$@";
$mesg = $ldap->bind ( $binddn,
password => $pass
) or die "$@";
if ( $mesg->code ) {
print "ERR\n";
} else {
print "OK\n";
}
$ldap->unbind;
}
=-=-=-
Squid Was compiled with:
=-=-
debian:~# squid -v
Squid Cache: Version 2.5.STABLE4
configure options: --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin
--sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc
--localstatedir=/var/spool/squid --datadir=/usr/share/squid
--enable-async-io --with-pthreads --enable-storeio=ufs,aufs,diskd,null
--enable-linux-netfilter --enable-arp-acl
--enable-removal-policies=lru,heap --enable-snmp --enable-delay-pools
--enable-htcp --enable-poll --enable-cache-digests --enable-underscores
--enable-referer-log --enable-useragent-log
--enable-auth=basic,digest,ntlm i386-debian-linux
=-=-
Hope that this helps!
--
Dave Peters
Network Engineer
http://www.mysat.ca - High Speed Internet Anywhere
On Wed, Mar 24, 2004 at 12:24:13PM +1100, DaZZa wrote:
> On Wed, 24 Mar 2004, James Gray wrote:
>
> > > I know I'm asking a lot - Surf Control is a nice piece of software, except
> > > for the fact that it doesn;t bloody work properly! I want the features,
> > > I'd just like to do something similar on an open source platform.
> >
> > You could use Squid (http://www1.au.squid-cache.org/) but it's a
> > regular web proxy not a "search and destroy" agent. Still, if you block
> > ports 80/443 outgoing at the perimeter unless they originate from the
> > proxy you have an effective means of FORCING everyone to use the proxy.
> > This is what we do and it works well.
>
> That's what we do, except we us ISA.
>
> > Also, we use Squid's "delay pools" which throttle certain types of
> > content over a certain size etc. For example, if a user wants a
> > Shockwave Flash file that's 2MB, they get the first 100KB at full speed,
> > then it trickles through at 15kbps (<1/2 dial-up speed - heheh).
> > Discourages users from saturating our 4Mbps connection downloading game
> > demos and porn.
> >
> > Another bonus is it authenticates back to our Win2K Active Directory so
> > we can link users<->url. So when they do something that contravenes our
> > acceptable use policy, we have the records to make their lives hell (or
> > just extort $$$ from them).
>
> Squid plugs into AD??? Now *that* is what I'm walkin' about! If I can
> integrate Squid into AD and then use Squidguard {as suggested by
> others}...
>
> Got any hints on where to go to find docs for getting Squid to talk to AD?
>
> > I know it's not what you asked for specifically, but it's a VERY
> > powerful piece of software.
>
> I don't care what software I use, as long as it does what I want it to do.
>
> Although, if Squid talks to AD, I'm damn well going to look into it!
>
> DaZZa
>
> --
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
>
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
