Pseudo proxy authentication (mapping of IP address to user name) in intercept mode.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Pseudo proxy authentication (mapping of IP address to user name) in intercept mode.

Rafael Akchurin

Hello everyone,

 

I would like to get your opinions on the subject.

 

Problem: admin needs to manage squid acls (and icap web filter settings) using security groups from Active Directory. For non-technical reasons, setup of explicit proxy settings and thus enforcing proxy authentication on Squid is not possible.

 

Solution:

 

1.      Deploy some agent on domain controller that would periodically enumerate workstation IPs and get currently logged on users by WMI or something like this. This is fine and already working in our project at https://github.com/diladele/active-directory-inspector

2.      Let Squid somehow use the remote running inspector to match the IP address to user names (and expose the user name to ICAP eventually). May be anyone knows the type of helper/acl/annotation that needs to be in running/configured on the Squid box?

 

Thanks for anyone responding.

 

Best regards,

Rafael Akchurin

Diladele B.V.

 

 

 

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Pseudo proxy authentication (mapping of IP address to user name) in intercept mode.

Amos Jeffries
Administrator
On 17/10/17 22:39, Rafael Akchurin wrote:

> Hello everyone,
>
> I would like to get your opinions on the subject.
>
> *Problem*: admin needs to manage squid acls (and icap web filter
> settings) using security groups from Active Directory. For non-technical
> reasons, setup of explicit proxy settings and thus enforcing proxy
> authentication on Squid is not possible.
>
> *Solution*:
>
> 1.Deploy some agent on domain controller that would periodically
> enumerate workstation IPs and get currently logged on users by WMI or
> something like this. This is fine and already working in our project at
> https://github.com/diladele/active-directory-inspector
>
> 2.Let Squid somehow use the remote running inspector to match the IP
> address to user names (and expose the user name to ICAP eventually). May
> be anyone knows the type of helper/acl/annotation that needs to be in
> running/configured on the Squid box?
>

That kind of authorization is the purpose of the session and LDAP
external ACL helpers. Though AFAIK neither of them uses the AD interface
(YMMV if the Perl DB module can use AD as an SQL-like database).

You might be able to also be use the Basic auth LDAP helper from
Squid-3.4+ as an external ACL helper. It will require some fiddling of
the LDAP parameters and the ACL input format to make the external ACL
input into the Basic-auth lookup.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Pseudo proxy authentication (mapping of IP address to user name) in intercept mode.

Rafael Akchurin
Hello Amos,

Thanks for your responses.

What I do not understand completely - if we have intercept style of deployment, when browsers know nothing about the proxy - how basic (or any other type of authenticator) will work? I always thought browsers will discard proxy-auth responses just because they do not know if proxy is in-between.

May it be that only session helper is applicable in this case?

Best regards,
Rafael

-----Original Message-----

> *Problem*: admin needs to manage squid acls (and icap web filter
> settings) using security groups from Active Directory. For
> non-technical reasons, setup of explicit proxy settings and thus
> enforcing proxy authentication on Squid is not possible.
>
> *Solution*:
>
> 1.Deploy some agent on domain controller that would periodically
> enumerate workstation IPs and get currently logged on users by WMI or
> something like this. This is fine and already working in our project
> at https://github.com/diladele/active-directory-inspector
>
> 2.Let Squid somehow use the remote running inspector to match the IP
> address to user names (and expose the user name to ICAP eventually).
> May be anyone knows the type of helper/acl/annotation that needs to be
> in running/configured on the Squid box?
>

That kind of authorization is the purpose of the session and LDAP external ACL helpers. Though AFAIK neither of them uses the AD interface (YMMV if the Perl DB module can use AD as an SQL-like database).

You might be able to also be use the Basic auth LDAP helper from Squid-3.4+ as an external ACL helper. It will require some fiddling of the LDAP parameters and the ACL input format to make the external ACL input into the Basic-auth lookup.
 
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Pseudo proxy authentication (mapping of IP address to user name) in intercept mode.

Rafael Akchurin
In reply to this post by Amos Jeffries
Ok thanks again Amos.

The plan is then:

- external acl helper gets the SRC and connects to REST server running on AD DC with IP <-> user mapping database
- replies with OK user=<name>
- this name get's delivered to access log and ICAP/eCAP
- (optional) we are able to match the user to security group and apply designated filtering policy in our ICAP server.

Written above seems to work in the test lab.

Best regards,
Rafael Akchurin
Diladele B.V.

-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Tuesday, October 17, 2017 3:54 PM
To: [hidden email]
Subject: Re: [squid-users] Pseudo proxy authentication (mapping of IP address to user name) in intercept mode.

On 17/10/17 22:39, Rafael Akchurin wrote:

> Hello everyone,
>
> I would like to get your opinions on the subject.
>
> *Problem*: admin needs to manage squid acls (and icap web filter
> settings) using security groups from Active Directory. For
> non-technical reasons, setup of explicit proxy settings and thus
> enforcing proxy authentication on Squid is not possible.
>
> *Solution*:
>
> 1.Deploy some agent on domain controller that would periodically
> enumerate workstation IPs and get currently logged on users by WMI or
> something like this. This is fine and already working in our project
> at https://github.com/diladele/active-directory-inspector
>
> 2.Let Squid somehow use the remote running inspector to match the IP
> address to user names (and expose the user name to ICAP eventually).
> May be anyone knows the type of helper/acl/annotation that needs to be
> in running/configured on the Squid box?
>

That kind of authorization is the purpose of the session and LDAP external ACL helpers. Though AFAIK neither of them uses the AD interface (YMMV if the Perl DB module can use AD as an SQL-like database).

You might be able to also be use the Basic auth LDAP helper from Squid-3.4+ as an external ACL helper. It will require some fiddling of the LDAP parameters and the ACL input format to make the external ACL input into the Basic-auth lookup.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users