[squid-users] Replacing Microsoft TMG by Squid.

Rafael Akchurin rafael.akchurin at diladele.com
Mon Oct 19 17:13:02 UTC 2015 

Hello Sebastien,

Here I tried to have the step-by-step visual tutorial for Squid + Kerberos SSO with AD (using mapped user and NOT by joining Squid into AD) - but is doesn't work for non joined machines (defaulting to Negotiate/NTLM).

May be helpful as a starting point for your own research - see http://docs.diladele.com/administrator_guide_4_2/system_configuration/active_directory/index.html

Please share your findings/critical views on this.

Best regards,
Rafael Akchurin
Diladele B.V.

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Sebastien.Boulianne at cpu.ca
Sent: Monday, October 19, 2015 6:04 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Replacing Microsoft TMG by Squid.

Hi Eliezer,

As I wrote, " I am using the latest version of Squid... v3.5.10."
On Oracle Linuxm the latest version is 3.3.8 so I compiled it my Squid from SOURCE with the configure command: 
./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --disable-strict-error-checking --exec_prefix=/usr --libexecdir=/usr/lib64/squid --datadir=/usr/share/squid --sysconfdir=/etc/squid --with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid --disable-dependency-tracking --enable-eui --enable-follow-x-forwarded-for --enable-auth --enable-auth-basic=DB,LDAP,NCSA,NIS,POP3,RADIUS,SASL,SMB,getpwnam --enable-auth-ntlm=smb_lm,fake --enable-auth-digest=file,LDAP,eDirectory --enable-auth-negotiate=kerberos --enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group --enable-cache-digests --enable-cachemgr-hostname=localhost --enable-delay-pools --enable-epoll --enable-icap-client --enable-ident-lookups --enable-linux-netfilter --enable-removal-policies=heap,lru --enable-snmp --enable-ssl --enable-ssl-crtd --enable-storeio=aufs,diskd,ufs --enable-wccpv2 --enable-esi --with-aio --with-default-user=squid --with-filedescriptors=16384 --with-dl --with-openssl --with-pthreads build_alias=x86_64-redhat-linux-gnu host_alias=x86_64-redhat-linux-gnu CFLAGS=-O2 && make && make install

I found this link but I don't know if this link is up to date...
http://linuxconfig.net/manual-howto/squid-and-ldap-authentication-from-active-directory.html

I checked and I already have the openldap-devel depencies installed on my OS.

Thanks for your help! ;)

Sébastien Boulianne

-----Message d'origine-----
De : squid-users [mailto:squid-users-bounces at lists.squid-cache.org] De la part de Eliezer Croitoru Envoyé : 19 octobre 2015 09:20 À : squid-users at lists.squid-cache.org Objet : Re: [squid-users] Replacing Microsoft TMG by Squid.

What latest version of squid? an RPM\package based or from sources?

If you have basic_ldap_auth it should be good and you can test it.
I do not know much about your knowledge of LDAP and if you do have LDAP in place already but I think you will need to first test the basic_ldap_auth and see how it works and then implement what you need.
If you do not have any background with LDAP you will need to learn a bit about it first before playing with the authentication.
The examples from older LDAP helpers should work for you in a similar way.

The LDAP dependencies are different from OS to OS and I do not have a running Oracle Linux I can fetch the exact package names but it should be something with "ldap" and "devel".
try "yum search ldap|grep -i devel" and you will might see the relevant package there.

All The Bests,
Eliezer

On 19/10/2015 15:57, Sebastien.Boulianne at cpu.ca wrote:
> Hey Eliezer,
>
> I am using the latest version of Squid... 3.5.10.
>
> As you can see, I have the basic_ldap_auth in /usr/lib64/squid/.
> Should it be good ?
>
> What are the ldap depencies ?
>
> Thanks.
>
> Sébastien
>
>
> -----Message d'origine-----
> De : squid-users [mailto:squid-users-bounces at lists.squid-cache.org] De 
> la part de Eliezer Croitoru Envoyé : 18 octobre 2015 12:05 À :
> squid-users at lists.squid-cache.org Objet : Re: [squid-users] Replacing 
> Microsoft TMG by Squid.
>
> Hey Sebastien,
>
> What version of squid are you using? self compiled or RPMs?
> It's clear that you do have basic_ldap_auth and you can use that to authenticate you users using that.
>
> If you are trying to build squid from sources you will need ldap dependencies to be able to build LDAP auth.
>
> I have seen the thread going on and on but you do have basic_ldap_auth... so what is the question at all about using that or not?
>
> Eliezer
>
> On 16/10/2015 20:51, Sebastien.Boulianne at cpu.ca wrote:
>> Hi all,
>>
>> Like you know, Microsoft discountinued the TMG.
>> The TMG was used as a reverse proxy.
>> Since many days, I work to replace our TMG by a Squid server v3.5.10 with Oracle Linux 7 x64.
>> I moved some sites this week but I have a little problem now.
>> How can I ask LDAP credentials for a user who want to access a directory on another server ?
>>
>> I currently do that with our TMG.
>>
>> I used Google but I can only find doc about LDAP auth for users they want to access the internet.
>>
>> [root at squid squid]# cd /usr/lib64/squid/ [root at squid squid]# ls
>> basic_db_auth                 basic_pam_auth     cert_valid.pl           ext_session_acl       negotiate_kerberos_auth       url_fake_rewrite
>> basic_getpwnam_auth           basic_pop3_auth    digest_edirectory_auth  ext_time_quota_acl    negotiate_kerberos_auth_test  url_fake_rewrite.sh
>> basic_ldap_auth               basic_radius_auth  digest_file_auth        ext_unix_group_acl    ntlm_fake_auth
>> basic_msnt_auth               basic_sasl_auth    digest_ldap_auth        ext_wbinfo_group_acl  ntlm_smb_lm_auth
>> basic_msnt_multi_domain_auth  basic_smb_auth     diskd                   helper-mux.pl         ssl_crtd
>> basic_ncsa_auth               basic_smb_auth.sh  ext_file_userip_acl     log_db_daemon         storeid_file_rewrite
>> basic_nis_auth                cachemgr.cgi       ext_ldap_group_acl      log_file_daemon       unlinkd
>>
>> Thanks.
>>
>> Sebastien
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list