Forum

(squid) proxy - act...
 
Bildirimler
Hepsini Temizle

(squid) proxy - active directory authentication

3 Yazılar
2 Üyeler
0 Reactions
939 Görüntüleme
(@anonim)
Gönderiler: 1789
Famed Member
Konu başlatıcı
 

selamlar,

ipcop uzerinde firewall + squid (ve dansguardian) var. ipcop'un oldugu bilgisayar ayni zamanda gateway olarak da calisiyor.

kullanicilar windows 2003 uzerinden active directory kullanarak network'te yetkilendiriliyorlar.

oncelikle,

- ipcop uzerindeki proxy'nin active directory gruplarina gore yetki alabilmesini nasil saglayabilirim?
yapmak istedigim sey:
active directory uzerinde olusturulmus iki farkli gruba farkli saatlerde farkli sitelere girme yetkisi verebilmek.
a grubunun butun gun internet yetkisi var ve gun icerisinde fazla kisitlama olmadan her yere girebilmeli.
b grubunun mesai saatleri icerisinde pek cok yere girisini engellemek istiyorum.

squid uzerinde kullanicilarin ldap uzerinden authenticate olmasi saglanabiliyor. ancak ad gruplarina gore yetkilendirmeyi yapamadim.

aslinda bu islemin mutlaka squid uzerinde gerceklesmesi gerekmiyor.
ipcop uzerinde gateway+firewall yapisi uzerinde yapilabilme imkani varsa ordan da yapabilirim.
amacim sadece farkli ad gruplarinin internet giris cikislarini adres ve zaman kriterlerine gore yetkilendirebilmek.

cevaplar icin tesekkurler,

 

iyi gunler...

 
Gönderildi : 10/07/2008 12:33

(@rahmidilli)
Gönderiler: 2458
Famed Member
 

Merhabalar Sn. Can Veli Hikmet,

Forumumuza hoşgeldiniz. Konu hakkında malesef detaylı bilgim yok ama aşağıdaki linkler yardımcı olacaktır.

http://cryptoresync.com/2006/05/18/installing-squid-with-active-directory-authentication/  

http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory  

 

Configuring Squid LDAP Authentication

The first step is to configure Squid to authenticate
usernames/passwords with the Active Directory. You will need to open
your Squid configuration file (squid.conf) and make the following
changes:

Find the auth param section of the config file (TAG: auth_param), and change the auth param basic program line to look like this. (Indented text indicates one line)

    auth_param basic program /usr/lib/squid/ldap_auth -R 
-b "dc=vm-domain,dc=papercut,dc=com"
-D "cn=Administrator,cn=Users,dc=your,dc=domain,dc=com"
-w "password" -f sAMAccountName=%s -h 192.168.1.75
auth_param basic children 5
auth_param basic realm Your Organisation Name
auth_param basic credentialsttl 5 minutes

These settings tell Squid authenticate names/passwords in the Active Directory.

  • The -b option indicated the LDAP base distinguished name of your domain. E.g. your.domain.com would be dc=your,dc=domain,dc=com
  • The –D
    option indicates the user that is used to perform the LDAP query. (e.g
    an Administrator. This example uses the built-in Administrator user,
    however you can use another user of your choice.
  • The –w option is the password for the user specified in the –D option. For better security you can store the password in a file and use the –W /path/to/password_file syntax instead
  • -h is used to indicate the LDAP server to connect to. E.g. your domain controller.
  • -R is needed to make Squid authenticate against Windows AD
  • The –f option is the LDAP query used to lookup the user. In the above example, sAMAccountName=%s,
    will match if the user’s Windows logon name matches the username
    entered when prompted by Squid. You can search any value in the LDAP
    filter query. You may need to use an LDAP search query tool to help get
    the syntax correct for the –f search filter.
  • The %s is replaced with what the user enters as their username.

Remember to restart Squid to make these changes to come into effect.

Configuring Group Based Internet Access

Once the user has authenticated, you can define which users have
access to network resources (i.e. the internet) using Squid access
control lists (ACLs). Squid ACLs are a complex topic and allow very
sophisticated control. This document only describes the basic
configuration required to allow Active Directory / LDAP group checking
- a requirement for PaperCut to deny/allow internet access. For further information on ACL syntax and configuration see the Squid documentation and FAQ.

In the Squid configuration file, find the external
ACL section (TAG: external_acl_type) and specify the following external
ACL (Inetgroup is arbitrary, make this anything appropriate). Note that
this is all on one line.

    external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R 
-b "dc=vm-domain,dc=papercut,dc=com"
-D "cn=Administrator,cn=Users,dc=your,dc=domain,dc=com"
-w "password"
-f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=users,dc=your,dc=domain,dc=com))"
-h 192.168.1.75

Most of this is similar to the LDAP authentication section above. The variable %v relates to the username and %a
is the group given in the ACL (below). Ensure that the "memberof"
filter is adjusted to where your LDAP internet group is defined. E.g.
If you have an organizational unit call "you.domain.com/students", and
this contains a group called "InternetAccessGroup", then the "memberof"
part of the filter should be: memberof=cn=%a,ou=students,dc=your,dc=domain,dc=com

Then enter the values below in the ACL area (Tag: acl) of squid.conf, modifying your internal subnet as appropriate.

    acl localnet proxy_auth REQUIRED src 192.168.1.0/24

acl InetAccess external InetGroup InternetAccessGroup

The ACL names are InetAccess, they are
arbitrary and can be changed to suit your environment. InetGroup is the
the External ACL name created above. The Active Directory groups that
allow internet access is InternetAccessGroup. This is the name of the matching group in the Active Directory.

Now that you have completed the ACL you can reference them in the http_access area of Squid.conf:

    http_access allow InetAccess

You will need to restart Squid for these changes to come into effect.

You should then be able to try to access the Internet
using Squid, and should be prompted for your Windows username and
password. Only authenticated users AND users belonging to the
"InternetAccessGroup" will be allowed access to the internet. This test
by manually adding and removing users from the group using the Active
Directory user management tools. The users should be granted/denied
access depending on their AD group membership.

NOTE: If you have the need to deny Internet access
for members of another Windows security group, you can set up a
"InternetDenyGroup" the same way as above and then define an InetDeny
ACL. You can then specify a http_access deny rule as follows:

    http_access deny InetDeny

 

 
Gönderildi : 10/07/2008 18:16

(@anonim)
Gönderiler: 1789
Famed Member
Konu başlatıcı
 

tesekkurler.

 
Gönderildi : 11/07/2008 14:11

Paylaş: