Configure squid for LDAP authentication using squid_ldap_auth helper

Step # 1: Make sure squid can talk to LDAP server

Before configuring makes sure that the squid is working with LDAP auth. Type the following command:

# /usr/lib/squid/squid_ldap_auth -b “dc=nixcraft,dc=com” -f “uid=%s” ldap.nixcraft.com

Once you hit enter key you need to provide UID and password using following format:

USERID blankspace PASSWORD

If it was able to connect to LDAP server you will see “ok”.

Step # 2: Configuration

Open your squid.conf file:

# vi /etc/squid/squid.conf
Next you need to add following code which specifies the base DN under where your users are located and the LDAP server name.

auth_param basic program /usr/lib/squid/squid_ldap_auth -b “dc=nixcraft,dc=com” -f “uid=%s” -h ldap.nixcraft.com

acl ldapauth proxy_auth REQUIRED

http_access allow ldapauth

http_access deny all

Save and close the file. Restart Squid to take effect.

# /etc/init.d/squid restart

Zimbra LDAP With Squid

You need to use it as follows

/usr/lib/squid/squid_ldap_auth -v 3 -b dc=zimbra,dc=example,dc=com -f “(&(uid=%s)(objectClass=zimbraAccount))” -h zimbra.example.com

Squid authentication against Microsoft’s Active Directory

I have not used group_ldap_auth helper against Microsoft’s Active Directory. But someone (user) pointed out the following solution. Add following configuration directive to squid.conf:

ldap_auth_program /usr/lib/squid/group_ldap_auth -b dc=my-domain,dc=de -h \

server.my-domain.de -p 636 -g distinguishedName -d CN=lookup,OU=Services,\

OU=Users,DC=my-domain,DC=de -w lookup -u cn -m member -o group -S -l \

/var/log/squid/ldaplog

acl ldap_backoffice ldap_auth static ‘CN=BackOffice,OU=Groups,dc=my-domain,dc=de’
acl ldap_management ldap_auth static ‘CN=Management,OU=Groups,dc=my-domain,dc=de’
acl ldap_it-service ldap_auth static ‘CN=IT-Service,OU=Groups,dc=my-domain,dc=de’
acl ldap_development ldap_auth static ‘CN=DEVELOPMENT,OU=Groups,dc=my-domain,dc=de’
http_access allow ldap_development
http_access allow ldap_backoffice
http_access allow ldap_management
http_access allow ldap_it-service
http_access deny all

Written by admin

Leave a comment