Affichage des articles dont le libellé est ldap. Afficher tous les articles
Affichage des articles dont le libellé est ldap. Afficher tous les articles

lundi 12 décembre 2011

Squid authentification LDAP

Configuration de l'authentificacion de Squid avec Active directory Microsoft

On valide la connexion
# Active Directory configuration
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -v 3 -b "dc=foo,dc=corp" -D "cn=Proxy1,cn=Users,dc=foo,dc=corp" -w "xxx" -f sAMAccountName=%s -h 192.168.11.206
auth_param basic children 5
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 5 minutes

On authorize un groupe
#ldap authorizations
#full proxy access logger
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R \
-b "dc=foo,dc=corp" \
-D "cn=Proxy1,cn=Users,dc=foo,dc=corp" \
-w "xxx" \
-f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=users,DC=foo,DC=corp))" \
-h 192.168.11.206

On renvoit vers Squidguard, on pourrait aussi associe des autorizacions par groupe LDAP
#Squidguard
redirect_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf

########################
####### acls locales####
########################
acl manager proto cache_object
#acl all src 0.0.0.0/0.0.0.0
acl to_localhost src 127.0.0.1/32
acl localhost dst 127.0.0.0/8
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8522 # otros ssh
acl Safe_ports port 22
acl CONNECT method CONNECT
acl ldap-group proxy_auth REQUIRED
#acl redlocal src 192.168.10.0/23
acl Proxy external ldap_group ProxyFULL


########################
####### Restricciones###
########################
http_access allow Proxy
http_access allow Accesorestringido
http_access deny manager
http_access allow MonarcaTestProxy
http_access deny !Safe_ports
http_access allow manager localhost
http_access deny CONNECT !SSL_ports
http_access allow localhost

http_access deny all

icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/proxy/log/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
#broken_vary_encoding allow apache
coredump_dir /var/spool/squid
visible_hostname [My HOSTNAME]


Commande utile pour verifier l'appartenance 
C:\Windows\system32>dsget USER "CN=foouser,OU=foo,DC=foo,DC=corp" -memberof

Commande Squid pour tester le proxy
squidclient -h 127.0.0.1 -u user -w password http://sysadmin10.blogspot.com

Publié par à Aucun commentaire:
Libellés : , ,
Inscription à : Articles (Atom)