Re: [squid-users] Fw: squid_ldap_group config

From: Tim Neto <tneto@dont-contact.us>
Date: Wed, 01 Dec 2004 14:55:18 -0500

Hello,

While I'm not using a Novell LDAP server, here is a snippet from the
configuration I have working. Note: KCL uses a SunONE Directory Server.

---------------------------------------------------------------------------------------------------------------------
auth_param basic program /usr/lib/squid/squid_ldap_auth -h
ldap.komatsu.ca -p 389 -P -b o=komatsu -f "(|(uid=%s)(mail=%s))"

auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 minute

external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h
ldap.komatsu.ca -p 389 -P -b o=komatsu -F "(|(uid=%s)(mail=%s))" -f
"(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))"

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# ----------------------------------------------------------------------
# Default Squid ACL's
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 21
acl Safe_ports port 70
acl Safe_ports port 80
acl Safe_ports port 81
acl Safe_ports port 89
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 443 563
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 1025-65535
acl CONNECT method CONNECT

# ----------------------------------------------------------------------
# KCL Defined ACL's and http_access definitions.
acl kcl_users proxy_auth REQUIRED
acl kcl_networks src 192.168.0.0/16

# LDAP group acl definitions.
#
# Puro
acl puro_groups external ldap_group puro puro_a puro_c puro_e puro_f
puro_k puro_kr puro_te puro_tr puro_w
#
# Proxy
acl proxy_groups external ldap_group proxy proxy_a proxy_c proxy_e
proxy_f proxy_k proxy_kr proxy_te proxy_tr proxy_w
#
# I left these for individual divisional controls, just in case they are
needed.
acl proxy_a external ldap_group proxy_a
acl proxy_c external ldap_group proxy_c
acl proxy_e external ldap_group proxy_e
acl proxy_f external ldap_group proxy_f
acl proxy_k external ldap_group proxy_k
acl proxy_kr external ldap_group proxy_kr
acl proxy_te external ldap_group proxy_te
acl proxy_tr external ldap_group proxy_tr
acl proxy_w external ldap_group proxy_w

http_access allow manager localhost
http_access allow manager kcl_networks
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# ----------------------------------------------------------------------
# Note: KCL deny rules must exist before any allow rules.
#
acl no_kazaa dstdomain .kazaa.com
acl no_puretracks dstdomain .puretracks.com

http_access deny no_kazaa
http_access deny no_puretracks

# ----------------------------------------------------------------------
# Puro group allowed list of web sites.
# ACLs
#
acl puro_denharco_com dstdomain .denharco.com
acl puro_emeryworld_com dstdomain .emeryworld.com
acl puro_emeryworldwide_com dstdomain .emeryworldwide.com
acl puro_fedex_com dstdomain .fedex.com
acl puro_fleetguard_com dstdomain .fleetguard.com
acl puro_hexaware_com dstdomain .hexaware.com
acl puro_hrparts_com dstdomain .hrparts.com
acl puro_komatsu_co_jp dstdomain .komatsu.co.jp
acl puro_komatsu_com dstdomain .komatsu.com
acl puro_machinerytrader_com dstdomain .machinerytrader.com
acl puro_machinetrader_com dstdomain .machinetrader.com
acl puro_mailposte_ca dstdomain .mailposte.ca
acl puro_ups_ca dstdomain .ups.ca
acl puro_ups_com dstdomain .ups.com
# ----------------------------------------------------------------------
# Access enablers
#
# Group: puro_groups
http_access allow kcl_networks puro_groups puro_denharco_com
http_access allow kcl_networks puro_groups puro_emeryworld_com
http_access allow kcl_networks puro_groups puro_emeryworldwide_com
http_access allow kcl_networks puro_groups puro_fedex_com
http_access allow kcl_networks puro_groups puro_fleetguard_com
http_access allow kcl_networks puro_groups puro_hexaware_com
http_access allow kcl_networks puro_groups puro_hrparts_com
http_access allow kcl_networks puro_groups puro_komatsu_co_jp
http_access allow kcl_networks puro_groups puro_komatsu_com
http_access allow kcl_networks puro_groups puro_machinerytrader_com
http_access allow kcl_networks puro_groups puro_machinetrader_com
http_access allow kcl_networks puro_groups puro_mailposte_ca
http_access allow kcl_networks puro_groups puro_ups_ca
http_access allow kcl_networks puro_groups puro_ups_com

#
# ----------------------------------------------------------------------
# Allow all proxy users to all web addresses.
#
# http_access allow kcl_networks proxy_a
# http_access allow kcl_networks proxy_c
# http_access allow kcl_networks proxy_e
# http_access allow kcl_networks proxy_f
# http_access allow kcl_networks proxy_k
# http_access allow kcl_networks proxy_kr
# http_access allow kcl_networks proxy_te
# http_access allow kcl_networks proxy_tr
# http_access allow kcl_networks proxy_w
http_access allow kcl_networks proxy_groups

# ----------------------------------------------------------------------
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
---------------------------------------------------------------------------------------------------------------------

Two things often overlooked when RTFM is:

1) ACL parameters are logically OR'd.

2) HTTP_ACCESS parameters are logically AND'd.

Tim

-----------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer Komatsu Canada Limited
 Ph#: 905-625-6292 x265 1725B Sismet Road
 Fax: 905-625-6348 Mississauga, Canada
 E-Mail: tneto@komatsu.ca L4W 1P9
-----------------------------------------------------------

Matt Benjamin wrote:

> Kelly,
>
> The intent of the Squid mechanism, is, I think, a bit
> obscure--hopefully the authors will step forward and show how you set
> up the two distinct external auth mechanisms it appears you need in
> order for Squid to a) authenticate to LDAP b) do the group check.
>
> However, our solution (which resembles that used in a commercial K12
> proxy solution which I shall not name), is as follows:
>
> 1. We use one external authenticator, the squid_ldap_auth program
> 2. All traffic is sent to a customized Squidguard
> redirect_program--our version combines a bunch of extant
> modifications, including LDAP group-based ACLs, and a modified logging
> feature used to drive reporting
> 3. Any sort of authorization rule, including one forbidding specific
> users/groups to visit FTP urls, would happen here. For example, your
> source group might be "kids," and the destination group anything
> matching an "^ftp://" regex.
>
> We have some tweaks to Webmin, a real-time log parser, and reporting
> tool we're releasing, that organize all this.
>
> Matt
>
> Kelly_Connor@gilbert.k12.az.us wrote:
>
>>
>> Hi all,
>>
>> I hope this has not been addressed anywhere in the mailing lists. I
>> did a
>> search and couldn't find anything, and I've already RTFM'd.
>>
>> I don't understand how to set up the squid_ldap_group external acl type.
>>
>> We are running Novell eDirectory and using various LDAP groups to
>> (hopefully) control internet access for our various high school
>> campuses.
>> We want to have different control lists based upon the user.
>> Students are
>> denied ftp downloads and are sent to a redirector/content filter,
>> while we
>> IT people don't go to the redirector and get ftp downloads.
>>
>> The man page for external_acl_type doesn't seem clear to me.
>>
>> This is what I've got so far:
>>
>> external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b
>> <basedn>
>> -D <squidaccount> -w <passwd> -f
>> "(&(cn=%v)(groupMembership=cn=<group1dn>))" -h ldap.host
>> external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b
>> <basedn>
>> -D <squidaccount> -w <passwd> -f
>> "(&(cn=%v)(groupMembership=cn=<group2dn>))" -h ldap.host
>>
>> acl Restricted port 20 21 1025-65535
>>
>> acl external ldap_group deny Restricted
>> acl external ldap_group allow Restricted
>>
>> I'm certain I am doing something wrong with my "acl external" lines.
>> How
>> do I differentiate the two different groups? How exactly is the
>> external_acl_type line used? Is ldap_group a reserved phrase that
>> has to
>> follow external_acl_type? How do I return to squid the group membership
>> token for the user?
>>
>> Thanks for any illumination...
>>
>>
>> Kelly Connor
>> Network Technician
>> Gilbert Unified School District
>> kelly_connor@gilbert.k12.az.us
>>
>>
>>
>
>
Received on Wed Dec 01 2004 - 12:55:16 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:01 MST