Squid with LDAP Authentication

Simple guide to install LDAP, SQUID

In this article, I will take you through a very simple but working configuration of openldap, phpldapadmin, squid proxy. The beauty of this guide is that it uses all software packages from Ubuntu repositories and uses almost all default configurations. This is not the only way of doing this or may not be the most secure way of doing this but this configuration can generally be used internally in an organization.

System Environment

  1. Ubuntu Server 12.04.03 LTS 64 bit fully patched
  2. hostname – gateway
  3. user id: test
  4. password: test123
  5. machine ip: 192.168.1.5
  6. Router ip: 192.168.1.1
  7. Default DNS: 8.8.8.8
  8. LDAP domain: ubuntu.in

Pre-requisites

  1. Ubuntu 12.04.03 LTS, fully patched
  2. sshd is installed and is working
  3. IP address is static and set to 192.168.1.5 / 255.255.255.0

Base installs

  1. sudo apt-get install apache2 php5 slapd ldap-utils php5-ldap squid phpldapadmin
  2. enter ldap admin password when prompted (we will re-configure slapd once again to make it work with phpldapadmin)
  3. LDAP Server & phpldapadmin configuration
    1. sudo nano /etc/ldap/ldap.conf
      1. BASE dc=ubuntu,dc=in
      2. URI ldap://192.168.1.5
      3. ^O
      4. ^X
    2. sudo dpkg-reconfigure slapd
      1. dns name: ubuntu.in
      2. Organization: Ubuntu India
      3. admin password: test123 and reconfirm
      4. keep all other options offered as default
    3. sudo nano /etc/phpldapadmin/config.php and make following changes in “ Define your LDAP Servers in this section” – it is quite below in the file and you need to scroll down a lot
      1. $servers->setValue(‘server’,’name’,’Ubuntu LDAP Server’);
      2. $servers->setValue(‘server’,’base’,array(‘dc=ubuntu,dc=in’));
      3. $servers->setValue(‘login’,’bind_id’,’cn=admin,dc=ubuntu,dc=in’);
      4. $servers->setValue(‘login’,’bind_pass’,’test123′);
      5. ^O
      6. ^X
    4. Restart all the services
      1. sudo service slapd restart
      2. sudo service apache2 restart
    5. Open the browser and
      1. type : http://192.168.1.5/phpldapadmin
      2. Click on login
      3. Enter the password: test123
    6. Done with installing LDAP Server and phpldapadmin
  4. Populating the LDAP server with objects
    1. Open the browser and type : http://192.168.1.5/phpldapadmin
    2. Click on Create an entry here and select
      1. Organization Unit and name it as “groups”
      2. Organization Unit and name it as “people”
    3. Under groups click on create an entry here and select ‘Posix Group’
      1. Create multiple posix groups if required as such as it, sales, marketing, finance, travel etc
      2. Under the Posix group, create multiple ‘Generic User Accounts’
  5. Squid Server & configuration
    1. sudo apt-get install squid3
    2. sudo nano /etc/squid3/squid.conf
      1. Uncomment this – acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
      2. Add the following
        1. auth_param basic program /usr/lib/squid3/squid_ldap_auth -b “dc=ubuntu,dc=in” -f “uid=%s” -h 192.168.1.5
        2. acl ldapauth proxy_auth REQUIRED
        3. http_access allow ldapauth
        4. ^o
        5. ^X
    3. sudo service squid3 restart
  6. Confguring the browser to use the proxy
    1. For Ubuntu – search for network in the dash and click on proxy
    2. Add 192.168.1.5 and 3128 as the port and click on ‘apply system wide’
    3. Fireup the browser and the system should ask you for a uid and password if you open an internet website
    4. Enter the UID and password of the LDAP object you created
    5. You should be able to access the internet with Proxy and LDAP authentication

Dont forget to click on ‘Like’ if this works for you. Leave a comment and I will respond.

Good Luck

Advertisements

17 thoughts on “Squid with LDAP Authentication

    • Hi Ramdan

      Are you using a Ubuntu 12.04 or Ubuntu 14.04? Also if you can share following files, I may be able to help,
      – etc/phpldapadmin/config.php
      – squid config file

      Have you installed php5-ldap (sudo apt-get install php5 php5-ldap). This is important. Without this ldap auth will not happen.

      If you are using Ubuntu 14.04, then there will be a minor change in the squid config file.

      • thanks for reply. im using ubuntu 12.04 and the php5-ldap is installed on my ubuntu.
        this is my squid.conf :

        auth_param basic program /usr/lib/squid3/squid_ldap_auth -b “dc=ubuntu,dc=in” -f “uid=%s” -h 192.168.43.221
        acl ldapauth proxy_auth REQUIRED
        http_access allow ldapauth

        acl manager proto cache_object
        acl localhost src 127.0.0.1/32 ::1
        acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

        acl localnet src 192.168.43.0/24

        acl SSL_ports port 443
        acl Safe_ports port 80 # http
        acl Safe_ports port 21 # ftp
        acl Safe_ports port 443 # https
        acl Safe_ports port 70 # gopher
        acl Safe_ports port 210 # wais
        acl Safe_ports port 1025-65535 # unregistered ports
        acl Safe_ports port 280 # http-mgmt
        acl Safe_ports port 488 # gss-http
        acl Safe_ports port 591 # filemaker
        acl Safe_ports port 777 # multiling http
        acl CONNECT method CONNECT

        http_access allow manager localhost
        http_access deny manager
        http_access deny !Safe_ports
        http_access deny CONNECT !SSL_ports
        http_access allow localhost
        http_access allow localnet
        http_access deny all
        http_port 3128

        coredump_dir /var/spool/squid3
        refresh_pattern ^ftp: 1440 20% 10080
        refresh_pattern ^gopher: 1440 0% 1440
        refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
        refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
        refresh_pattern . 0 20% 4320

        ——————————-
        and for file /etc/phpldapadmin/config.php i only change the following code like in this article:

        $servers->setValue(‘server’,’name’,’Ubuntu LDAP Server’);
        $servers->setValue(‘server’,’base’,array(‘dc=ubuntu,dc=in’));
        $servers->setValue(‘login’,’bind_id’,’cn=admin,dc=ubuntu,dc=in’);
        $servers->setValue(‘login’,’bind_pass’,’test123′);

      • hey the problem was solved thanks for your respon im wrong in typing double quotes(“”) on following code:
        /usr/lib/squid3/squid_ldap_auth -b “dc=ubuntu,dc=in” -f “uid=%s” -h 192.168.43.221

  1. Hi, I have tried with this and it didn’t work, configuration is fine and everything but it doesn’t work. squid configuration is the same as yours. i have ubuntu version 14.04.01. since it is squid3 it will go basic_ldap_auth but that doesn’t work either. any help pls.

  2. This is for Ubuntu 14.04 – this is pulled out from a working openldap and Squid server running on two different Ubuntu 14.04 servers with 64 bit architectures. The below mentioned IP address (10.19.125.5) is the Openldap server’s IP address. Below is the squid.conf file contents. You can make a copy of the default squid.conf file and then copy the below content as squid.conf

    # LDAP Authentication
    auth_param basic program /usr/lib/squid3/basic_ldap_auth -b dc=droneindia,dc=in -f “uid=%s” 10.19.125.5
    auth_param basic children 5 startup=5 idle=1
    auth_param basic realm Drone India Web Caching Server
    auth_param basic credentialsttl 1 minute

    # ACL Rules
    acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    acl ldapauth proxy_auth REQUIRED

    # Rules for http access
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost manager
    http_access deny manager

    # Enable only when proxy is working fine with ldap auth. It is a security feature. You may not need it.
    #http_access deny to_localhost

    #Allowing LDAP Auth
    http_access allow ldapauth
    #http_access allow localnet – This may or may not be required at your end. Enable only if you need it
    http_access allow localhost
    http_access deny all

    #port for accessing proxy
    http_port 8080

    # DISK CACHE OPTIONS – Ihave changed the default 100 MB cache to 1 GB cache
    cache_dir ufs /var/spool/squid3 1000 16 256

    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
    refresh_pattern . 0 20% 4320

  3. i have follow all the steps, but when i test the squid using /usr/lib/squid3/basic_ldap_auth -b dc=ldap,dc=com -f “uid=%s” -h 127.0.0.1 -d -v 3, the output is ERR Missing username

  4. this is my ldap file :

    dn: dc=ldap,dc=com
    objectClass: top
    objectClass: dcObject
    objectClass: organization
    o: ldap.com
    dc: ldap
    structuralObjectClass: organization
    entryUUID: 564d21a8-a779-1035-817c-e57c2c26982c
    creatorsName: cn=admin,dc=ldap,dc=com
    createTimestamp: 20160506015522Z
    entryCSN: 20160506015522.144141Z#000000#000#000000
    modifiersName: cn=admin,dc=ldap,dc=com
    modifyTimestamp: 20160506015522Z

    dn: cn=admin,dc=ldap,dc=com
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: admin
    description: LDAP administrator
    userPassword:: e1NTSEF9b3hkWFdPeFhrdGpzS1NXcld3VThLWVRBNlRrQ2hSSlc=
    structuralObjectClass: organizationalRole
    entryUUID: 564eddcc-a779-1035-817d-e57c2c26982c
    creatorsName: cn=admin,dc=ldap,dc=com
    createTimestamp: 20160506015522Z
    entryCSN: 20160506015522.155512Z#000000#000#000000
    modifiersName: cn=admin,dc=ldap,dc=com
    modifyTimestamp: 20160506015522Z

    dn: cn=people,ou=people,dc=ldap,dc=com
    gidNumber: 500
    cn: people
    objectClass: posixGroup
    objectClass: top
    structuralObjectClass: posixGroup
    entryUUID: 7817a606-a9da-1035-913d-65da28e871e8
    creatorsName: cn=admin,dc=ldap,dc=com
    createTimestamp: 20160509023542Z
    entryCSN: 20160509023542.344500Z#000000#000#000000
    modifiersName: cn=admin,dc=ldap,dc=com
    modifyTimestamp: 20160509023542Z

    dn: cn=adit tanov,cn=people,ou=people,dc=ldap,dc=com
    cn: adit tanov
    givenName: adit
    gidNumber: 500
    homeDirectory: /home/users/atanov
    sn: tanov
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: top
    userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
    uidNumber: 1000
    uid: atanov
    structuralObjectClass: inetOrgPerson
    entryUUID: ce3f6500-a9da-1035-913e-65da28e871e8
    creatorsName: cn=admin,dc=ldap,dc=com
    createTimestamp: 20160509023806Z
    entryCSN: 20160509023806.889046Z#000000#000#000000
    modifiersName: cn=admin,dc=ldap,dc=com
    modifyTimestamp: 20160509023806Z

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s