[squid-users] SQUID with two authentications methods

Colle Christophe christophe.colle at ac-nancy-metz.fr
Tue Jan 16 17:23:25 UTC 2018


Hello,

I want to configure SQUID with two authentications methods:

- Kerberos (to do SSO with posts in an ActiveDirectory domain)
- Basic (Open LDAP directory)

The LDAP directory contains all the "official" accounts of people, the AD directory contains some accounts (same identifiers as on LDAP) and generic accounts.

Everything works fine, but I would like to add an extra check: The Kerberos account must also exist in the LDAP directory in order to not allow use of generic accounts.

I managed to do that with Squid but I get this behavior:

- Account present in AD + LDAP: OK
- Account present in AD but not in LDAP: KO

Is it possible to force LDAP authentication if "check_ldapĀ " fail ?


My config :


# KERBEROS
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth
auth_param negotiate children 50 startup=5 idle=1
auth_param negotiate keep_alive on


# LDAP
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b "ou=official" -f "(uid=%s)" ldap.contonso.lan:389
auth_param basic children 50 startup=5 idle=1
auth_param basic credentialsttl 1 hours




# Extra check
external_acl_type check_ldap ipv4 ttl=3600 children-max=50 %LOGIN /etc/squid/check_ldap_aca.sh




acl authenticated proxy_auth REQUIRED
acl check_ldap external check_ldap




http_access allow http port_80 check_ldap
http_access allow https port_443 check_ldap
http_access allow ftp port_21 check_ldap


http_access deny !authenticated



http_access deny all



My check_ldap_aca.sh :



#!/bin/bash


while read user 
do
 identifiant=(${user//@/ }) 


 result=$(ldapsearch -LLL -h  ldap.contonso.lan  -p 389 -D "uid=usr-proxy" -w *****  -b "ou= official " " (uid=%s) " uid) 
 if [ ${#result} -gt 4 ]
 then
 echo "OK user=$identifiant"
 else
 echo "ERR user=$identifiant"
 fi
done



Thank !

--
Chris
<signatureafterquotedtext></signatureafterquotedtext>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180116/f50b5494/attachment-0001.html>


More information about the squid-users mailing list