====== Squid with Kerberos and LDAP authentication in Active Directory (quick start) ======
===== Problem =====
* Make users authenticate on Squid proxy
* Using Kerberos (single sing-on)
* Fall back to LDAP if Kerberos fails (plain text)
===== Prerequisites =====
* Active Directory on Windows Server 2003 R2 SP2
* Ubuntu Server 10.04 LTS + Squid 3.0 + Kerberos 5
===== Solution =====
==== Here is our example environment ====
^Parameter name^Value^
|AD_SQUID_USER|squid|
|AD_SQUID_PASSWORD|squid_password|
|PROXY_FULL_DNS_NAME|proxy.company.ru|
|DOMAIN_CONTROLLER|dc.company.lan|
|REALM|COMPANY.LAN|
|SQUID_DN|cn=squid,ou=users_special,dc=company,dc=lan|
|BASE_DN|ou=users,dc=company,dc=lan|
==== Let's configure ====
- Ubuntu: install Squid and Kerberossudo apt-get install squid3 krb5-user
- Ubuntu: replace /etc/krb5.conf with the following config
[libdefaults]
default_realm = COMPANY.LAN
- Windows: create user "squid" in Active Directory
- Windows: create keytab and map it to the user "squid" with password "squid_password" using ktpass (you can find ktpass in Windows Server 2003 Service Pack 1 Support Tools)ktpass -princ HTTP/proxy.company.ru@COMPANY.LAN -mapuser squid -pass squid_password -ptype KRB5_NT_PRINCIPAL -out HTTP.keytab
- Ubuntu: move just created HTTP.keytab to /etc/squid3/HTTP.keytab
- Ubuntu: put the password to a separate file (it's going to be used for binding in LDAP)echo "squid_password" | sudo tee /etc/squid3/LDAP.pass
- Ubuntu: fix permissions for security reasons
sudo chown proxy:proxy /etc/squid3/HTTP.keytab /etc/squid3/LDAP.pass
sudo chmod 400 /etc/squid3/HTTP.keytab /etc/squid3/LDAP.pass
- Ubuntu: point Squid to the keytab fileecho "export KRB5_KTNAME=/etc/squid3/HTTP.keytab" | sudo tee /etc/default/squid3
- Ubuntu: add authentication parameters to the squid.conf
- Create /etc/squid3/suid.auth.conf with the following text
# Enable Kerberos authentication first
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s HTTP/proxy.company.ru@COMPANY.LAN
auth_param negotiate children 10
auth_param negotiate keep_alive on
# Fallback to LDAP if Kerberos fails
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "ou=users,dc=company,dc=lan" -f sAMAccountName=%s -h dc.company.lan -D "cn=squid,ou=users_special,dc=company,dc=lan" -W /etc/squid3/LDAP.pass
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
# Force authentication requirement
acl auth proxy_auth REQUIRED
http_access allow auth
- Patch /etc/squid3/squid.conf
--- squid.conf.orig 2011-02-18 22:43:47.000000000 +0300
+++ squid.conf 2011-11-23 20:36:10.348219178 +0400
@@ -646,6 +646,9 @@
#http_access allow localnet
http_access allow localhost
+# Include Kerberos and LDAP configuration
+include /etc/squid3/squid.auth.conf
+
# And finally deny all other access to this proxy
http_access deny all
- Ubuntu: restart squidsudo /etc/init.d/squid3 restart
===== Troubleshooting =====
- You can check if your keytab workskinit -V -kt /etc/squid3/HTTP.keytab HTTP/proxy.company.ru@COMPANY.LAN
===== Some notes =====
- Kerberos needs DNS to be configured properly (in that case you don't even need to configure /etc/krb5.conf)
- DNS needs to have a host DNS-records (A-record and reverse-record) for the proxy server (proxy.company.ru is in our example)
- To use Kerberos in Ubuntu you just need to install "krb5-user" and run "kinit username@COMPANY.LAN"
- Internet Explorer doesn't fall back to LDAP authentication if Kerberos fails. So if you can't use Kerberos (for example when PC isn't joined to the domain) you need to uncheck "Enable Integrated Windows Authentication" in Internet Options -> Advanced -> Security or use alternative browser.
- You need to use proxy by full DNS-name (proxy.company.ru is in our example) or by CNAME to this DNS-name to make Kerberos works. Overwise only LDAP plain text authentication will work.
{{tag>squid kerberos ldap proxy ubuntu}}