User and Group LDAP Authentication for Squid

NOTE: this project has moved to group-ldap-auth.sourceforge.net. The release for 2.4.STABLE2 and all future releases are available there.

This patch patches the Squid proxy server to support static and dynamic LDAP group lookups when doing LDAP authentication. It modifies the core squid code to add support for ldap groups in acl mechanism, and adds a group ldap authentication module in the auth_modules/GROUP_LDAP/ directory. The patch is available for the 2.3.STABLE1, 2.3.STABLE2, and 2.3.STABLE3 code releases.

This patch has been built and tested on linux 2.2.13 and solaris 2.6.

To install this patch to the 2.3.STABLEx source:

   %cd path/to/squid/source/squid-2.3.STABLEx/
   %patch -p2 < patchfile
After applying the patch, the version info is changed from 2.3.STABLEx to 2.3.STABLEx-ldap_auth. Issue a make clean and rerun configure before building.

Below is the README for the group_ldap_auth helper authentication module. It is installed by patch in <source root>/squid-2.3.STABLEx/auth_modules/GROUP_LDAP/ and explains how the module works.


The group_ldap_auth module performs user and group authentication to an ldap 
server. It supports static and dynamic groups.


BUILD INSTRUCTIONS
------------------

This module requires the openldap libraries (http://www.openldap.org) to build.
Once they have been installed, build with:
	
	% make
	% make install


USAGE
-----

This module does not use the auth_module communication module, and requires 
squid 2.3-STABLEx-ldap_auth. The diff file you used to get his module patched 
2.3-STABLEx source tree to 2.3-STABLEx-ldap_auth. If you received this module 
through some other means, go to http://www.fatgut.org/squid/group_ldap_auth/
to get the full diff.

The search base, ldap server, and (optionally) the ldap port (default is 389) 
are specified along with the path to the module with the ldap_auth_program 
directive in squid.conf. example:
	
	ldap_auth_program /usr/local/squid/bin/group_ldap_auth o=siroe.com \
	  ldap.siroe.com 389

To tell squid to use ldap_auth, use the ldap_auth acl directive:

	acl aclname ldap_auth (((static | dynamic) group) | username) ...
	
Use REQUIRED to accept any valid username. A list of groups and/or users can 
be specified here. The group must be prefaced with either static or dynamic to 
define the group type. Group names with spaces in them should be enclosed by 
single quotes ("'"). Examples:
	
	acl user_acl ldap_auth REQUIRED
	- requires the user to be in the ldap db, and the password to be valid
	
	acl users_acl ldap_auth joed janed toc
	- requires the user to be one of {joed, janed, toc}, the user to be 
	  in the ldap db, and the password to be valid

	acl group_acl ldap_auth static 'product managers' dynamic uid=j*
	- requires the user to be a member of the static product managers group
	  or a member of the dynamic uid=j* group (all user id's starting with j). 
	  The user must also exist in the ldap db and have a valid password.

Users and groups can be mixed in an acl statement, but the special REQUIRED 
parameter cannot be mixed. Examples:
	
	acl users_groups_acl ldap_auth frank john joe static 'useful managers' 
	*VALID*

	acl invalid_acl ldap_auth REQUIRED frank john joe
	*INVALID*

	
There are other configuration options that affect ldap_auth:

ldap_auth_children
	
	The number of ldap authenticator processes to spawn (default 5). 
	If you start too few Squid will have to wait for them to process 
	a backlog of user/password verifications, slowing it down. When 
	password verifications are done via a slow network or you have 
	ldap_auth acls with several groups you are likely to need lots of 
	ldap authenticator processes.

ldap_auth_cache_size

	The size of the ldap username/password/group cache in entries (default 64).

ldap_auth_cache_ttl

	The number of seconds a checked ldap username/password/group combination 
	remains cached (default 3600). If a wrong password is given for a cached 
	user, the user gets removed from the username/password/group cache forcing
	a revalidation.

ldap_auth_cache_ip_ttl

	With this option you control how long a ldap authentication
	will be bound to a specific IP address. If a request using
	the same user name is received during this time then access
	will be denied and both users are required to reauthenticate
	them selves.  The idea behind this is to make it annoying
	for people to share their password to their friends, but
	yet allow a dialup user to reconnect on a different dialup
	port.

	The default is 0 to disable the check. Recommended value
	if you have dialup users are no more than 60 (seconds). If
	all your users are stationary then higher values may be
	used.


HOW IT WORKS
------------

The module communicates with squid though the squid helper system: squid writes data
to the modules stdin, the module writes results back to its stdout. The other auth 
modules use a simple communications protocol: squid writes "username password" to the 
module, the module writes back "OK" or "ERR". For group authentication to work, more
information needs to be passed between squid and the module. So the ldap_auth acl
directive was added to complement the proxy_auth directive. 

When communicating with this module when processing the ldap_auth directive, squid
writes messages of the form:

	username password groupcount grouptype #groupname# grouptype #groupname# ...

where groupcount specifies the number of groups that follow, grouptype is either s 
(for static) or d (for dynamic), and groupnames are bracketed by #'s. Example:
	
	jack SeCrEt 3 s #poor password choosers# s #localusers# d #ou=people#

or

	jack SeCrEt 0 

if there are no groups to be checked.

The module reads this info, and first verifies the user is in the database. If this
fails, a failure flag is returned to squid. If this lookup succeeds, the module 
checks the membership of each group until the user is found or all groups have been 
tried. Static groups in the directory can have an objectclass of either groupOfNames 
or groupOfUniqueNames, and the member uids must be uniqueMember attributes of the
group. If the user is not found in any of the groups, a failure flag is returned. 
If the user is found among the groups, the module attempts to bind to the directory 
as that user with the supplied password. If that step succeeds, a pass flag is 
returned to squid along with the group that the user was found in (if any). Upon 
failure, the module returns:
	
	f

upon success, the module returns:
	
	p groupname

or, if no groups were provided by squid and the user authenticated okay:

	p


FOR MORE INFO
-------------

Go to http://www.fatgut.org/squid/group_ldap_auth/, or email 
tocrawle@users.sourceforge.net.