<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xml:base="https://www.stress-free.co.nz"  xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
 <title>stressfree - squid</title>
 <link>https://www.stress-free.co.nz/tech/squid</link>
 <description></description>
 <language>en</language>
<item>
 <title>Transparent Squid Authentication to eDirectory</title>
 <link>https://www.stress-free.co.nz/transparent_squid_authentication_to_edirectory</link>
 <description>
  &lt;div class=&quot;field-body&quot;&gt;
    &lt;div class=&quot;image&quot;&gt;&lt;img src=&quot;/sites/default/files/u63/squid-edirectory.jpg&quot; alt=&quot;&quot; width=&quot;180&quot; height=&quot;59&quot; /&gt;&lt;/div&gt;
&lt;p&gt;This post explains how to setup a &lt;a id=&quot;le.n&quot; title=&quot;Squid HTTP proxy&quot; href=&quot;http://www.squid-cache.org/&quot;&gt;Squid HTTP proxy&lt;/a&gt; to transparently authenticate users against a &lt;a id=&quot;tlih&quot; title=&quot;Novell eDirectory&quot; href=&quot;http://www.novell.com/products/edirectory/&quot;&gt;Novell eDirectory&lt;/a&gt;. In the Novell eco-system &lt;a id=&quot;n-02&quot; title=&quot;Border Manager&quot; href=&quot;http://www.novell.com/products/bordermanager/&quot;&gt;Border Manager&lt;/a&gt; is the venerable choice for an internal firewall and proxy but it is showing its age. This guide is based on this &lt;a id=&quot;yett&quot; title=&quot;Novell Cool Solution&quot; href=&quot;http://www.novell.com/coolsolutions/feature/17777.html&quot;&gt;Novell Cool Solution&lt;/a&gt;. Unlike Border Manager, which requires the &lt;a id=&quot;y9j9&quot; title=&quot;CLNTRUST&quot; href=&quot;http://www.novell.com/coolsolutions/tip/7761.html&quot;&gt;CLNTRUST&lt;/a&gt; client-side tool, the setup described works without the need for any desktop client software.&lt;/p&gt;
&lt;h2&gt;How it works&lt;/h2&gt;
&lt;p&gt;Within a Novell managed network the eDirectory stores authenticated user&#039;s I.P. addresses. Squid performs an LDAP search against eDirectory using the incoming I.P. address of the client. If successful the authenticated username is returned and a proxy session established. If the search comes up empty Squid prompts the client to manually enter their credentials for authentication against the eDirectory. If this too fails the proxy request is denied.&lt;/p&gt;
&lt;h2&gt;eDirectory 8.8 incompatability&lt;/h2&gt;
&lt;p&gt;This solution currently only works with eDirectory &amp;lt; 8.8 because Novell has slightly changed the format they store network addresses in newer versions. At the time of writing I have not been able to test against eDirectory 8.8 so I cannot determine the required code changes or test results. Hopefully in the near future this situation will change.&lt;/p&gt;
&lt;h2&gt;Squid&#039;s external_acl_type option&lt;/h2&gt;
&lt;p&gt;Transparent authentication is made possible thanks to Squid&#039;s &lt;em&gt;external_acl_type &lt;/em&gt;configuration option. This allows external identities and groups to be identified via any external script. Once Squid is installed setting up transparent eDirectory authentication is a two step process:&lt;/p&gt;
&lt;ol&gt;&lt;li&gt; Create and tweak the &lt;strong&gt;squid_edir_iplookup.pl&lt;/strong&gt; file. &lt;/li&gt;
&lt;li&gt; Edit the &lt;strong&gt;squid.conf&lt;/strong&gt; configuration file &lt;/li&gt;
&lt;/ol&gt;&lt;!--break--&gt;&lt;h2&gt;The engine room: squid_edir_iplookup.pl&lt;/h2&gt;
&lt;p&gt;To begin create a file named squid_edir_iplookup.pl. This file can be anywhere on your system as long as the Squid process can access it. In this example I have created the file in /usr/lib/squid/ as this is where Red Hat stores all of Squid&#039;s authentication related scripts.&lt;/p&gt;
&lt;h3&gt;/usr/lib/squid/squid_edir_iplookup.pl&lt;/h3&gt;
&lt;p class=&quot;codesnippet&quot;&gt;#!/usr/bin/perl&lt;br /&gt; use Net::LDAP;&lt;br /&gt; use Net::LDAP::LDIF;&lt;br /&gt; use File::Path qw(rmtree);&lt;br /&gt; use File::Basename qw(basename);&lt;br /&gt;&lt;br /&gt; $HOST = &#039;your.edirectory.server&#039;;&lt;br /&gt; $PORT = 389;&lt;br /&gt; $ADMIN = &quot;cn=squid,ou=tech,o=company&quot;;&lt;br /&gt; $PASSWD = &quot;squidpassword&quot;;&lt;br /&gt; $BASEDN = &quot;o=company&quot;;&lt;br /&gt; @SITES = qw(ou=groups);&lt;br /&gt;&lt;br /&gt; $|=1;&lt;br /&gt;&lt;br /&gt; START: while (&amp;lt;&amp;gt;) {&lt;br /&gt;&lt;br /&gt; ($IP,$GROUP) = split(/ /,$_);&lt;br /&gt; # $SITE =~ tr/\n//d;&lt;br /&gt; $GROUP =~ tr/\n//d;&lt;br /&gt; $group_filter_string=&quot;&quot;;&lt;br /&gt; for $site (@SITES) {&lt;br /&gt; $group_filter_string=$group_filter_string.&quot;(groupMembership=cn=$GROUP,${site},$BASEDN)&quot;;&lt;br /&gt; }&lt;br /&gt;&lt;br /&gt;&lt;br /&gt; $netaddress = &quot;1\#&quot;;&lt;br /&gt; @octets = split(/\./,$IP);&lt;br /&gt; foreach $octet (@octets) {&lt;br /&gt; # The IP address is stored in eDirectory as four unsigned chars. ASCII 40, 41, 42 and&lt;br /&gt; # 92 are characters ( ) *\ which are known tokens in LDAP search filters If you dont&lt;br /&gt; # escape these with a backslash they will cause LDAP errors and he script will fail.&lt;br /&gt; if ((($octet &amp;gt;= 40) &amp;amp;&amp;amp; ($octet &amp;lt;= 42)) || ($octet == 92)) {&lt;br /&gt; $netaddress = $netaddress.sprintf(&quot;\\%c&quot;,$octet)&lt;br /&gt; } else {&lt;br /&gt; $netaddress= $netaddress.sprintf(&quot;%c&quot;,$octet);&lt;br /&gt; }&lt;br /&gt; }&lt;br /&gt; $filter=&quot;(&amp;amp;(objectclass=user)(|$group_filter_string)(networkAddress=$netaddress))&quot;;&lt;br /&gt; $attnames=[&#039;CN&#039;];&lt;br /&gt;&lt;br /&gt; #connect to the server&lt;br /&gt; until($ldap = Net::LDAP-&amp;gt;new($HOST, port =&amp;gt; $PORT)) {&lt;br /&gt; die &quot;Can not connect to ldap://$HOST:$PORT/&quot; if ++$count &amp;gt; 10;&lt;br /&gt; sleep 1;&lt;br /&gt; }&lt;br /&gt;&lt;br /&gt; $r = $ldap-&amp;gt;start_tls();&lt;br /&gt;&lt;br /&gt; $r = $ldap-&amp;gt;bind($ADMIN, password =&amp;gt; $PASSWD, version=&amp;gt;2);&lt;br /&gt; die $r-&amp;gt;error if $r-&amp;gt;code;&lt;br /&gt;&lt;br /&gt; $r = $ldap-&amp;gt;search(base =&amp;gt; $BASEDN,&lt;br /&gt; scope =&amp;gt; &#039;sub&#039;,&lt;br /&gt; filter =&amp;gt; $filter,&lt;br /&gt; attrs =&amp;gt; $attnames);&lt;br /&gt;&lt;br /&gt; $count = $r-&amp;gt;count;&lt;br /&gt; if ($count == 0) {&lt;br /&gt; print &quot;ERR\n&quot;;&lt;br /&gt; } else {&lt;br /&gt; foreach my $entry ($r-&amp;gt;entries){&lt;br /&gt; my @values = $entry-&amp;gt;get_value(CN);&lt;br /&gt; foreach $value (@values) {&lt;br /&gt; # Many users in eDirectory have multiple CN values - usually from the user template&lt;br /&gt; # used to create them - sometimes their maiden name is noted in the Other Name&lt;br /&gt; # attribute in ConsoleOne we want to report the proper CN to squid not these bogus&lt;br /&gt; # values.&lt;br /&gt; if ($value =~ m/template|previously/i) {&lt;br /&gt; next;&lt;br /&gt; } else {&lt;br /&gt; $value =~ tr/- //d;&lt;br /&gt; print &quot;OK user=$value\n&quot;;&lt;br /&gt; next START;&lt;br /&gt; }&lt;br /&gt; }&lt;br /&gt; }&lt;br /&gt; }&lt;br /&gt; $ldap-&amp;gt;unbind;&lt;br /&gt; }&lt;/p&gt;
&lt;p&gt;At the beginning of this file you want to change the $HOST, $PORT, $ADMIN, $PASSWD and $BASEDN parameters to ones that are relevant for your internal network. The @SITES array is not important as this is used in the &lt;a id=&quot;r7.2&quot; title=&quot;Cool Solution example&quot; href=&quot;http://www.novell.com/coolsolutions/feature/17777.html&quot;&gt;Cool Solution example&lt;/a&gt; to define different groups of users (something we are not concerned about here).&lt;/p&gt;
&lt;p&gt;Once you have saved the file make it executable:&lt;/p&gt;
&lt;p class=&quot;codesnippet&quot;&gt;chmod a+x /usr/lib/squid/squid_edir_iplookup.pl&lt;/p&gt;
&lt;p&gt;The trickiest step is making sure you have the correct Perl libraries installed on your system for the script to run. These libraries are defined at the top of the file (the USE statements). The easiest way of testing whether the script is working is to run it:&lt;/p&gt;
&lt;p class=&quot;codesnippet&quot;&gt;/usr/lib/squid/squid_edir_iplookup.pl&lt;/p&gt;
&lt;p&gt;The Perl interpreter will soon tell you if something is not right. If a required library is missing you will need to install it using your system&#039;s package management tool or directly from source (&lt;a id=&quot;rghv&quot; title=&quot;CPAN&quot; href=&quot;http://www.cpan.org/&quot;&gt;CPAN&lt;/a&gt; is useful).&lt;/p&gt;
&lt;p&gt;All going well when the script is run you will be presented with a new, blank line. Test the LDAP lookup by typing an I.P. address and pressing enter. After a brief delay a success/fail message will be returned:&lt;/p&gt;
&lt;p class=&quot;codesnippet&quot;&gt;/usr/lib/squid/squid_edir_iplookup.pl&lt;br /&gt; 192.168.1.10&lt;br /&gt; ERR&lt;/p&gt;
&lt;p&gt;In the above example no valid user was found in the eDirectory at this I.P. address. If the look-up was successful the relevant username will be returned. To quit the script press &lt;em&gt;CTRL+C&lt;/em&gt;.&lt;/p&gt;
&lt;h2&gt;Editing squid.conf&lt;/h2&gt;
&lt;p&gt;With the squid_edir_iplookup.pl script in place and working it is now time to edit the Squid configuration. The exact location of this file will vary depending on your operating system, but in the case of Red Hat this is:&lt;/p&gt;
&lt;h3&gt;/etc/squid/squid.conf&lt;/h3&gt;
&lt;p class=&quot;codesnippet&quot;&gt;http_port 3128&lt;br /&gt; http_port 8080&lt;br /&gt; hierarchy_stoplist cgi-bin ?&lt;br /&gt; acl QUERY urlpath_regex cgi-bin \?&lt;br /&gt; cache deny QUERY&lt;br /&gt; acl apache rep_header Server ^Apache&lt;br /&gt; broken_vary_encoding allow apache&lt;br /&gt; access_log /var/log/squid/access.log squid&lt;br /&gt;&lt;br /&gt;&lt;strong&gt;external_acl_type IPUser ttl=3600 %SRC /usr/lib/squid/squid_edir_iplookup.pl&lt;/strong&gt;&lt;br /&gt;&lt;br /&gt;&lt;strong&gt;auth_param basic program /usr/lib/squid/squid_ldap_auth -b &quot;ou=users,o=company&quot; -u cn your.edirectory.server&lt;/strong&gt;&lt;br /&gt;&lt;strong&gt;auth_param basic children 5&lt;br /&gt; auth_param basic realm Squid Web Proxy&lt;br /&gt; auth_param basic credentialsttl 1 hours&lt;/strong&gt;&lt;br /&gt;&lt;br /&gt; # Used to pull LDAP group membership based on a supplied username - not currently used&lt;br /&gt; # external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -D cn=squid,ou=tech,o=company -w squidpassword -b o=company -s sub -f &quot;(&amp;amp;(objectclass=inetOrgPerson)(cn=%u)(groupMembership=%g))&quot; -h your.edirectory.server&lt;br /&gt;&lt;br /&gt; refresh_pattern ^ftp: 1440 20% 10080&lt;br /&gt; refresh_pattern ^gopher: 1440 0% 1440&lt;br /&gt; refresh_pattern . 0 20% 4320&lt;br /&gt;&lt;br /&gt; acl all src 0.0.0.0/0.0.0.0&lt;br /&gt; acl manager proto cache_object&lt;br /&gt; acl localhost src 127.0.0.1/255.255.255.255&lt;br /&gt; acl localnet src 192.168.1.0/255.255.255.0&lt;br /&gt; acl to_localhost dst 127.0.0.0/8&lt;br /&gt; acl SSL_ports port 443&lt;br /&gt; acl Safe_ports port 80 # http&lt;br /&gt; acl Safe_ports port 21 # ftp&lt;br /&gt; acl Safe_ports port 443 # https&lt;br /&gt; acl Safe_ports port 70 # gopher&lt;br /&gt; acl Safe_ports port 210 # wais&lt;br /&gt; acl Safe_ports port 1025-65535 # unregistered ports&lt;br /&gt; acl Safe_ports port 280 # http-mgmt&lt;br /&gt; acl Safe_ports port 488 # gss-http&lt;br /&gt; acl Safe_ports port 591 # filemaker&lt;br /&gt; acl Safe_ports port 777 # multiling http&lt;br /&gt; acl CONNECT method CONNECT&lt;br /&gt;&lt;br /&gt;&lt;strong&gt;acl edirectory_users external IPUser Everyone&lt;/strong&gt;&lt;br /&gt;&lt;strong&gt;acl authenticated_users proxy_auth REQUIRED localnet&lt;/strong&gt;&lt;br /&gt;&lt;br /&gt; http_access allow manager localhost&lt;br /&gt; http_access deny manager&lt;br /&gt; http_access deny !Safe_ports&lt;br /&gt; http_access deny CONNECT !SSL_ports&lt;br /&gt; http_access deny to_localhost&lt;br /&gt;&lt;br /&gt; http_access allow edirectory_users&lt;br /&gt; http_access allow authenticated_users&lt;br /&gt; http_access allow localhost&lt;br /&gt; # http_access allow localnet&lt;br /&gt; http_access deny all&lt;br /&gt;&lt;br /&gt; http_reply_access allow all&lt;br /&gt;&lt;br /&gt; icp_access allow all&lt;br /&gt;&lt;br /&gt; coredump_dir /var/spool/squid&lt;br /&gt;&lt;br /&gt; debug_options ALL,1&lt;br /&gt; # For debugging ACLs&lt;br /&gt; # debug_options ALL,1 33,2 28,9&lt;/p&gt;
&lt;p&gt;You will need to change the relevant parts in this file to suit your eDirectory and internal network settings (i.e. the localnet setting).&lt;/p&gt;
&lt;p&gt;The Squid configuration file is a tricky beast, but what is listed above is fairly standard. The first highlighted section is where the external squid_edir_iplookup.pl script is referenced. If this check fails an LDAP-backed HTTP BASIC authentication request is made.&lt;/p&gt;
&lt;p&gt;The second highlighted area identifies two Access Control Lists, the first based on the result of the eDirectory I.P. lookup and the second on the HTTP BASIC authentication response. If the incoming request is from someone authenticated within the eDirectory OR by the HTTP BASIC process then outbound access is granted.&lt;/p&gt;
&lt;p&gt;It is possible to use LDAP group information to form ACLs that further limit Web access. The above example does not utilise this functionality, but the Novell Cool Solution goes into it in further detail. My advice is get the Squid/eDirectory authentication working at a very basic level and then make it more complicated. Starting at the most complicated scenario will only lead to failure and frustration.&lt;/p&gt;
&lt;p&gt;If you are encountering authentication issues then enable the debugging options at the bottom of the configuration file. This is fairly verbose but can be very useful in identifying configuration mistakes.&lt;/p&gt;
&lt;h2&gt;Reviewing HTTP access logs with Webmin &amp;amp; SARG&lt;/h2&gt;
&lt;p&gt;&lt;a id=&quot;ny.x&quot; title=&quot;SARG&quot; href=&quot;http://sarg.sourceforge.net/&quot;&gt;SARG&lt;/a&gt; (Squid Analysis Report Generator) is a handy tool for reviewing Squid access files. There is a very good &lt;a id=&quot;t18l&quot; title=&quot;Webmin&quot; href=&quot;http://www.webmin.com/&quot;&gt;Webmin&lt;/a&gt; module for this application, so rather than struggling with the command line install Webmin on the proxy. By the way, while you are at it install &lt;a id=&quot;f0tq&quot; title=&quot;my Webmin theme&quot; href=&quot;/webmin-theme&quot;&gt;my Webmin theme&lt;/a&gt;, your eyes will thank you for it.&lt;/p&gt;
&lt;div class=&quot;centeredimage&quot;&gt;&lt;a href=&quot;/sites/default/files/u63/squid-sarg_lg.jpg&quot;&gt; &lt;img src=&quot;/sites/default/files/u63/squid-sarg_sm.jpg&quot; alt=&quot;&quot; width=&quot;400&quot; height=&quot;216&quot; /&gt;&lt;br /&gt; The SARG module within Webmin (click to enlarge)&lt;/a&gt;&lt;/div&gt;
&lt;p&gt; &lt;/p&gt;  &lt;/div&gt;

&lt;ul class=&quot;field-taxonomy-vocabulary-1&quot;&gt;

      &lt;li&gt;
      &lt;a href=&quot;/tech/linux&quot;&gt;linux&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tutorials&quot;&gt;software tutorials&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/novell&quot;&gt;novell&lt;/a&gt;    &lt;/li&gt;
      &lt;li&gt;
      &lt;a href=&quot;/tech/squid&quot;&gt;squid&lt;/a&gt;    &lt;/li&gt;
  
&lt;/ul&gt;
</description>
 <pubDate>Tue, 07 Oct 2008 10:36:45 +0000</pubDate>
 <dc:creator>David</dc:creator>
 <guid isPermaLink="false">526 at https://www.stress-free.co.nz</guid>
</item>
</channel>
</rss>
