Squid + LDAP + Active Directory

Started by Bloody Jack Kidd, September 10, 2010, 10:35:02 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Bloody Jack Kidd

any one done this (methinks I know who has)??
Sysadmin - Parallel42

Andrew Carrick

There was that time with the squid and the LAPD and the phone directory but I don't want to talk about it...
Jelf Insurance Partnership
Hull, East Yorkshire, UK
Me and TAM used to have a thing but we've split amicably. She got the kids, I got the Camaro and the maid.

Mark

Quote from: Rick Chisholm on September 10, 2010, 10:35:02 AM
any one done this (methinks I know who has)??


Yes, minus the ldap piece methinks.  In fact, i learned it all, then did it again recently through a utility of some sort and it was less complicated.

Just add the squid box to AD and use NTLM auth in your squid conf.  If that doesn't do the trick, there may be more to it and you are welcome to have my config files for a working reference if you'd like.

If you'v already tried and did not succeed, make sure you have winbindd.

::edit::
Oh, and I don't think it works via transparent proxy.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

insurebaltimore

I'm having a "low voltage" day, so don't flame me for the following question:  Why would you want both? (LDAP and AD)
Jason Gobbel
Microsoft Certified | Six Sigma - Lean/DFSS Certified

"I even put the router lower than the server so the bits gain speed going downhill!" - Rick

Mark

Quote from: insurebaltimore on September 17, 2010, 10:52:03 AM
I'm having a "low voltage" day, so don't flame me for the following question:  Why would you want both? (LDAP and AD)

Low voltage here as well,  but I think that it used to be common to use ldap instead of full AD integration.  Now, you can just add your *nix right to AD, no worries.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

insurebaltimore

Yeah, I guess if your stack o' *nix workstations are not AD integrated, then it would make sense to have dual authentication.

I know it's fairly simple to get Debian to join a domain.  I dunno about BSD.
Jason Gobbel
Microsoft Certified | Six Sigma - Lean/DFSS Certified

"I even put the router lower than the server so the bits gain speed going downhill!" - Rick

Bloody Jack Kidd

BSD is pretty much the same - just add Samba more or less...
Sysadmin - Parallel42

Bloody Jack Kidd

Now a couple roadblocks I am going to run into using NTLM_AUTH are:

1) the weak NTLM hash is a security concern
2) NTLM is somewhat deprecated, esp. with 2008 Server

I'm going to give it a whirl regardless and deal with the above after the fact.
Sysadmin - Parallel42

Joshua Hirsh

This message is a bit delayed.. but you started the thread before I signed up  :P

Definitely do-able, as I'm sure you've figured out by now. NTLM with Windows 2008 is still possible, but you have to force the server to be able to negotiate at NTLMv1 when required, or switch to something like Kerberos for authentication.

I opted for the former at the time and haven't had a chance to revisit it. Odds are you'll probably only run into issues depending on scale and the version you're using. Most commonly, you'll see some slow memory leaks in the ntlm_auth helper. I'm not sure what the ratio is, but I have a few thousand users hitting it constantly for an average of 1.5 million requests per day. After a few days, some of the ntlm_auth helpers are sitting around 700 MB of RAM each. Nothing a quick Squid restart won't fix, though.



Jeff Zylstra

First of all, +1 for contributing right off the bat and second of all WELCOME!   We can always use new guinea pigs here in the labs.   ;)
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Bloody Jack Kidd

Thanks Joshua - yer gonna be handy to have around!

As it so happens, this project got back-burnered and I'm going to take another run at it soon.  Need to cobble an old server back together for the test bed and then we're off to the races.

Going to give BSD another shot, but if that fails, Ubuntu LTS or Centos are likely next up.
Sysadmin - Parallel42

Joshua Hirsh

My current server is running on CentOS 5 (in VM). Starting fresh from 6 would be a better option, though, as you would go from 2.6 to 3.1.4 (at the moment). In your case your version on BSD will probably be more up to date, so you may not see the same issues that I did. It could be largely due to load in my case too. On an average day this thing is sucking down a fairly constant 15 Mbps of web traffic alone.

Bloody Jack Kidd

currently the enterprise is spread across 4 proxies, I'd like to get that down to two with proper auth allowing for better permission control for who can get to what and when...

Sysadmin - Parallel42

Joshua Hirsh

Assigning different Squid ACL's to A.D. groups is definitely a plus. In theory adding something like Dansguardian into the mix for content level filtering is useful too, but I never had time to investigate that side of it.

For the most part I let the users surf where they want, but I parse out the access.log to look for obvious signs of abuse (porn for lunch?) and dump it into SQL for reporting.

Bloody Jack Kidd

Been using SquidGuard for URL content filtering for a while now - pretty happy with it.  For logging / review I use a combination of SARG and calamaris.  I've recently added a DNS sinkhole to the mix, waiting for corporate buy-in on that project.
Sysadmin - Parallel42