This patch patches the Squid proxy server to support static and dynamic LDAP group lookups when doing LDAP authentication. It modifies the core squid code to add support for ldap groups in acl mechanism, and adds a group ldap authentication module in the auth_modules/GROUP_LDAP/ directory. The patch is available for the 2.3.STABLE1, 2.3.STABLE2, and 2.3.STABLE3 code releases.
This patch has been built and tested on linux 2.2.13 and solaris 2.6.
To install this patch to the 2.3.STABLEx source:
%cd path/to/squid/source/squid-2.3.STABLEx/ %patch -p2 < patchfileAfter applying the patch, the version info is changed from 2.3.STABLEx to 2.3.STABLEx-ldap_auth. Issue a make clean and rerun configure before building.
Below is the README for the group_ldap_auth helper authentication module. It is installed by patch in <source root>/squid-2.3.STABLEx/auth_modules/GROUP_LDAP/ and explains how the module works.
The group_ldap_auth module performs user and group authentication to an ldap
server. It supports static and dynamic groups.
BUILD INSTRUCTIONS
------------------
This module requires the openldap libraries (http://www.openldap.org) to build.
Once they have been installed, build with:
% make
% make install
USAGE
-----
This module does not use the auth_module communication module, and requires
squid 2.3-STABLEx-ldap_auth. The diff file you used to get his module patched
2.3-STABLEx source tree to 2.3-STABLEx-ldap_auth. If you received this module
through some other means, go to http://www.fatgut.org/squid/group_ldap_auth/
to get the full diff.
The search base, ldap server, and (optionally) the ldap port (default is 389)
are specified along with the path to the module with the ldap_auth_program
directive in squid.conf. example:
ldap_auth_program /usr/local/squid/bin/group_ldap_auth o=siroe.com \
ldap.siroe.com 389
To tell squid to use ldap_auth, use the ldap_auth acl directive:
acl aclname ldap_auth (((static | dynamic) group) | username) ...
Use REQUIRED to accept any valid username. A list of groups and/or users can
be specified here. The group must be prefaced with either static or dynamic to
define the group type. Group names with spaces in them should be enclosed by
single quotes ("'"). Examples:
acl user_acl ldap_auth REQUIRED
- requires the user to be in the ldap db, and the password to be valid
acl users_acl ldap_auth joed janed toc
- requires the user to be one of {joed, janed, toc}, the user to be
in the ldap db, and the password to be valid
acl group_acl ldap_auth static 'product managers' dynamic uid=j*
- requires the user to be a member of the static product managers group
or a member of the dynamic uid=j* group (all user id's starting with j).
The user must also exist in the ldap db and have a valid password.
Users and groups can be mixed in an acl statement, but the special REQUIRED
parameter cannot be mixed. Examples:
acl users_groups_acl ldap_auth frank john joe static 'useful managers'
*VALID*
acl invalid_acl ldap_auth REQUIRED frank john joe
*INVALID*
There are other configuration options that affect ldap_auth:
ldap_auth_children
The number of ldap authenticator processes to spawn (default 5).
If you start too few Squid will have to wait for them to process
a backlog of user/password verifications, slowing it down. When
password verifications are done via a slow network or you have
ldap_auth acls with several groups you are likely to need lots of
ldap authenticator processes.
ldap_auth_cache_size
The size of the ldap username/password/group cache in entries (default 64).
ldap_auth_cache_ttl
The number of seconds a checked ldap username/password/group combination
remains cached (default 3600). If a wrong password is given for a cached
user, the user gets removed from the username/password/group cache forcing
a revalidation.
ldap_auth_cache_ip_ttl
With this option you control how long a ldap authentication
will be bound to a specific IP address. If a request using
the same user name is received during this time then access
will be denied and both users are required to reauthenticate
them selves. The idea behind this is to make it annoying
for people to share their password to their friends, but
yet allow a dialup user to reconnect on a different dialup
port.
The default is 0 to disable the check. Recommended value
if you have dialup users are no more than 60 (seconds). If
all your users are stationary then higher values may be
used.
HOW IT WORKS
------------
The module communicates with squid though the squid helper system: squid writes data
to the modules stdin, the module writes results back to its stdout. The other auth
modules use a simple communications protocol: squid writes "username password" to the
module, the module writes back "OK" or "ERR". For group authentication to work, more
information needs to be passed between squid and the module. So the ldap_auth acl
directive was added to complement the proxy_auth directive.
When communicating with this module when processing the ldap_auth directive, squid
writes messages of the form:
username password groupcount grouptype #groupname# grouptype #groupname# ...
where groupcount specifies the number of groups that follow, grouptype is either s
(for static) or d (for dynamic), and groupnames are bracketed by #'s. Example:
jack SeCrEt 3 s #poor password choosers# s #localusers# d #ou=people#
or
jack SeCrEt 0
if there are no groups to be checked.
The module reads this info, and first verifies the user is in the database. If this
fails, a failure flag is returned to squid. If this lookup succeeds, the module
checks the membership of each group until the user is found or all groups have been
tried. Static groups in the directory can have an objectclass of either groupOfNames
or groupOfUniqueNames, and the member uids must be uniqueMember attributes of the
group. If the user is not found in any of the groups, a failure flag is returned.
If the user is found among the groups, the module attempts to bind to the directory
as that user with the supplied password. If that step succeeds, a pass flag is
returned to squid along with the group that the user was found in (if any). Upon
failure, the module returns:
f
upon success, the module returns:
p groupname
or, if no groups were provided by squid and the user authenticated okay:
p
FOR MORE INFO
-------------
Go to http://www.fatgut.org/squid/group_ldap_auth/, or email
tocrawle@users.sourceforge.net.