Help Linux - до свидания! См. Новости проекта

You are here: start » en » kb » squid-kerberos-ldap-ad


|

Дополнительно

 Creative Commons

Squid with Kerberos and LDAP authentication in Active Directory (quick start)

Problem

  • Make users authenticate on Squid proxy
    • Using Kerberos (single sing-on)
    • Fall back to LDAP if Kerberos fails (plain text)

Prerequisites

  • Active Directory on Windows Server 2003 R2 SP2
  • Ubuntu Server 10.04 LTS + Squid 3.0 + Kerberos 5

Solution

Here is our example environment

Parameter nameValue
AD_SQUID_USERsquid
AD_SQUID_PASSWORDsquid_password
PROXY_FULL_DNS_NAMEproxy.company.ru
DOMAIN_CONTROLLERdc.company.lan
REALMCOMPANY.LAN
SQUID_DNcn=squid,ou=users_special,dc=company,dc=lan
BASE_DNou=users,dc=company,dc=lan

Let's configure

  1. Ubuntu: install Squid and Kerberos
    sudo apt-get install squid3 krb5-user
  2. Ubuntu: replace /etc/krb5.conf with the following config
    [libdefaults]
            default_realm = COMPANY.LAN
  3. Windows: create user “squid” in Active Directory
  4. Windows: create keytab and map it to the user “squid” with password “squid_password” using ktpass (you can find ktpass in Windows Server 2003 Service Pack 1 Support Tools)
    ktpass -princ HTTP/proxy.company.ru@COMPANY.LAN -mapuser squid -pass squid_password -ptype KRB5_NT_PRINCIPAL -out HTTP.keytab
  5. Ubuntu: move just created HTTP.keytab to /etc/squid3/HTTP.keytab
  6. Ubuntu: put the password to a separate file (it's going to be used for binding in LDAP)
    echo "squid_password" | sudo tee /etc/squid3/LDAP.pass
  7. Ubuntu: fix permissions for security reasons
    sudo chown proxy:proxy /etc/squid3/HTTP.keytab /etc/squid3/LDAP.pass
    sudo chmod 400 /etc/squid3/HTTP.keytab /etc/squid3/LDAP.pass
  8. Ubuntu: point Squid to the keytab file
    echo "export KRB5_KTNAME=/etc/squid3/HTTP.keytab" | sudo tee /etc/default/squid3
  9. Ubuntu: add authentication parameters to the squid.conf
    1. Create /etc/squid3/suid.auth.conf with the following text
      # Enable Kerberos authentication first
      auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s HTTP/proxy.company.ru@COMPANY.LAN
      auth_param negotiate children 10
      auth_param negotiate keep_alive on
      
      # Fallback to LDAP if Kerberos fails
      auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "ou=users,dc=company,dc=lan" -f sAMAccountName=%s -h dc.company.lan -D "cn=squid,ou=users_special,dc=company,dc=lan" -W /etc/squid3/LDAP.pass
      auth_param basic children 5
      auth_param basic realm Squid proxy-caching web server
      auth_param basic credentialsttl 2 hours
      
      # Force authentication requirement
      acl auth proxy_auth REQUIRED
      http_access allow auth
    2. Patch /etc/squid3/squid.conf
      --- squid.conf.orig	2011-02-18 22:43:47.000000000 +0300
      +++ squid.conf	2011-11-23 20:36:10.348219178 +0400
      @@ -646,6 +646,9 @@
       #http_access allow localnet
       http_access allow localhost
       
      +# Include Kerberos and LDAP configuration
      +include /etc/squid3/squid.auth.conf
      +
       # And finally deny all other access to this proxy
       http_access deny all
       
      
  10. Ubuntu: restart squid
    sudo /etc/init.d/squid3 restart

Troubleshooting

  1. You can check if your keytab works
    kinit -V -kt /etc/squid3/HTTP.keytab HTTP/proxy.company.ru@COMPANY.LAN

Some notes

  1. Kerberos needs DNS to be configured properly (in that case you don't even need to configure /etc/krb5.conf)
  2. DNS needs to have a host DNS-records (A-record and reverse-record) for the proxy server (proxy.company.ru is in our example)
  3. To use Kerberos in Ubuntu you just need to install “krb5-user” and run “kinit username@COMPANY.LAN”
  4. Internet Explorer doesn't fall back to LDAP authentication if Kerberos fails. So if you can't use Kerberos (for example when PC isn't joined to the domain) you need to uncheck “Enable Integrated Windows Authentication” in Internet Options → Advanced → Security or use alternative browser.
  5. You need to use proxy by full DNS-name (proxy.company.ru is in our example) or by CNAME to this DNS-name to make Kerberos works. Overwise only LDAP plain text authentication will work.