SQUID with two authentications methods

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SQUID with two authentications methods

Colle Christophe
Hello,

I want to configure SQUID with two authentications methods:

- Kerberos (to do SSO with posts in an ActiveDirectory domain)
- Basic (Open LDAP directory)

The LDAP directory contains all the "official" accounts of people, the AD directory contains some accounts (same identifiers as on LDAP) and generic accounts.

Everything works fine, but I would like to add an extra check: The Kerberos account must also exist in the LDAP directory in order to not allow use of generic accounts.

I managed to do that with Squid but I get this behavior:

- Account present in AD + LDAP: OK
- Account present in AD but not in LDAP: KO

Is it possible to force LDAP authentication if "check_ldap " fail ?

My config :

# KERBEROS
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth
auth_param negotiate children 50  startup=5 idle=1
auth_param negotiate keep_alive on

# LDAP
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b "ou=official" -f "(uid=%s)" ldap.contonso.lan:389
auth_param basic children 50 startup=5 idle=1
auth_param basic credentialsttl 1 hours

# Extra check
external_acl_type check_ldap ipv4 ttl=3600 children-max=50 %LOGIN /etc/squid/check_ldap_aca.sh

acl authenticated proxy_auth REQUIRED
acl check_ldap external check_ldap

http_access allow http port_80 check_ldap
http_access allow https port_443 check_ldap
http_access allow ftp port_21 check_ldap

http_access deny !authenticated

http_access deny all

My check_ldap_aca.sh :

#!/bin/bash

while read user
do
        identifiant=(${user//@/ })

        result=$(ldapsearch -LLL -h ldap.contonso.lan -p 389 -D "uid=usr-proxy" -w ***** -b "ou=official" "(uid=%s)" uid)
        if [ ${#result} -gt 4 ]
        then
                echo "OK user=$identifiant"
        else
                echo "ERR user=$identifiant"
        fi
done


Thank !

--
Chris

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SQUID with two authentications methods

Amos Jeffries
Administrator
On 17/01/18 06:23, Colle Christophe wrote:

> Hello,
>
> I want to configure SQUID with two authentications methods:
>
> - Kerberos (to do SSO with posts in an ActiveDirectory domain)
> - Basic (Open LDAP directory)
>
> The LDAP directory contains all the "official" accounts of people, the
> AD directory contains some accounts (same identifiers as on LDAP) and
> generic accounts.
>
> Everything works fine, but I would like to add an extra check: The
> Kerberos account must also exist in the LDAP directory in order to not
> allow use of generic accounts.
>
> I managed to do that with Squid but I get this behavior:
>
> - Account present in AD + LDAP: OK
> - Account present in AD but not in LDAP: KO
>
> *Is it possible to force LDAP authentication if "check_ldap " fail ?*

<https://wiki.squid-cache.org/Features/Authentication#Can_I_use_different_authentication_mechanisms_together.3F>

Please note:
  "Squid can not force the clients to choose one over the other."


You would be better to change your design and use an authentication
helper of your own that performs these complex relationship checks
instead of trying to warp Squid ACLs into doing things they are not
supposed to do.

You already have custom ACL helper. Convert that to one which handles
the auth credentials through the auth_param interface and does both the
login check and the LDAP check before declaring Kerberos credentials as
acceptable to Squid.


Also from the order of your squid.conf it is pretty confusing to do the
login (deny !authenticated) *after* all your check_ldap that rely on
credentials being valid.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users