1

I am working on setting up new web proxies at my job. We were initialy planning on buying Blue Coat proxys but the economic downturn came along and we're not buying them anymore...

The great feature that these proxys had was that they offered the possibility to authenticate users against several LDAP proxies. For example, a certain subnet of users authenticate against a specific LDAP serve while another subnet of users authenticate against another LDAP server.

Is this possible using open source software such as Squid ? I really like Pfsense because the interface is really simple and pretty, would it be possible to do such thing with it ?

Thank you in advance for your help,

Antoine

Nick Kavadias
  • 10,758
  • 7
  • 36
  • 47
Antoine Benkemoun
  • 7,314
  • 3
  • 41
  • 60

3 Answers3

2

You cold make Squid authenticate against a single OpenLDAP server acting as a proxy for several backend directories. From slapd-meta(5):

NAME slapd-meta - metadirectory backend

SYNOPSIS /etc/ldap/slapd.conf

DESCRIPTION The meta backend to slapd(8) performs basic LDAP proxying with respect to a set of remote LDAP servers, called "targets". The information contained in these servers can be presented as belonging to a single Directory Information Tree (DIT).

This will work even if the DN hierarchies overlay among both groups by writing a few massaging rules -- I'm guessing that is the case because you would be using aliasing and delegation instead.

In any case I believe it is healthy that users are allowed to authenticate against the unified directory because their identity remains the same regardless of the subnet they happen to find themselves into.

codehead
  • 958
  • 5
  • 7
1

In my answer, I'm assuming that you have read about the Squid authentication protocol, are familiar on how to configure an LDAP auth helper and are planning to run Squid under some kind of Unix operationg system. Furthermore, the first two answers help you chose different LDAP servers based on username, not IP subnet (you mentioned "subnet", but ITYM "subset" - right?).

  1. Use a simple script (language doesn't matter, use your favourite one) to forward the request to different LDAP servers based on the username. An experienced Unix administrator should get this up and running within 30 minutes, it's not a big deal.
  2. Use a single LDAP server which returns LDAP referrals based on the user's DN.

If you really want to change LDAP servers based on the IP subnet things will get a little ugly, since the Squid auth protocol only transmits username/password pairs to the auth helpers:

  1. Configure a single Squid server and have it listen on localhost only. This Squid instance will do all the caching work.
  2. For every subnet, set up another Squid instance, without a local cache, and configure the appropriate LDAP server. Use different ports for every Squid instance, too. These Squid instances forward all requests to the caching one defined in step 1.
  3. Depending on how you configure proxy settings in your users' browsers, you will have to use either DNS views or redirect rules in your webserver.
Stefan Förster
  • 1,141
  • 5
  • 8
  • What I'm looking at is definently IP subnets... I guess subsets of users could be an option. The second option you are mentionning, I was already considering. I was thinking to use Solaris Zones to do this but it really smells fishy. – Antoine Benkemoun Sep 26 '09 at 08:21
0

You can build your own authentication helper for squid - http://www.visolve.com/squid/squid30/externalsupport.php#auth_param

http://www.cyberciti.biz/tips/howto-configure-squid-ldap-authentication.html

Martynas Saint
  • 1,211
  • 7
  • 15