Re: [squid-users] Squid Automatic Proxy Authentication via LDAP

From: Chris Robertson <crobertson@dont-contact.us>
Date: Fri, 26 Oct 2007 13:27:51 -0800

Anthony McGovern wrote:
> Hey All,
>
> I'm a relatively new to Linux and squid. I've only really been using
> both for about 2 and a half months now. Apologies as I'm sure this has
> probably been asked before.
>
> I have an ubuntu server (6.06) with apache 2.2.6 compiled, and running
> on the box. I also have squid 2.6, complied and running fine. a few days
> ago thanks to browsing many many forms I've also figured out how to get
> my squid proxy server to authenticate Via LDAP so when a user opens a
> web browser they have to type there LDAP Logon details to use the
> Internet.
>

Good so far...

> I've been asked by the powers that be, can we now make the proxy server
> "invisible". what we want is when a user opens a web browser it will
> still use their LDAP logon details to authentication but with no users
> intervention at all.
>

Oof. The only wide-spread browser-supported automatic proxy
authentication method is NTLM. And for that you need a Windows domain.

> IE. from the users perspective they open a web browser and they can
> browse the web but in the background when they open the browser the
> squid proxy server automatically authenticates them against their LDAP
> details. The reason for this is i work in a college so we want to make
> the proxy server as seamless and "invisible" as possible to all staff
> and students. If they don't know the proxy server is there they wont try
> to bypass it.
>

Perhaps your best bet is to use the session helper (try "man
squid_session" on your proxy, or see
http://linuxreviews.org/man/squid_session/) to redirect users to a log
in page where you can display your acceptable use policy (which
potentially includes penalties for bypassing the proxy). That way, it
will be less obvious that a proxy is used, but you get authentication
details in the log files.

> I've asked the "Internet guru" (google) to find me an answer and the
> closest thing I've come up with was a website getting using perl scripts
> to authenticate against LDAP but im sure the perl script was written for
> novell. This is the website:
>
> http://www.novell.com/coolsolutions/feature/17777.html
>

Well, that seems to rely on the fact that an IP address is associated
with a login for some period of time. This is by no means a Novell
specific trick. It should be possible to parse the LDAP log to find out
what IP a given user has authenticated from (for some other application)
and then populate a text file or database table with that information.

> But I haven't really come up with much sofar. I've also had a look on
> the FAQ list and the mailing list archive for similar questions
> regarding this but I couldn't find anything about it.
>
> I'd be really really grateful for any help
> Thanks a mill
> Anthony
>

Chris
Received on Fri Oct 26 2007 - 15:27:59 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:02 MDT