Authenticating users from several groups

Today I had my first encounter with authenticated proxies (creepy). The client has a working LDAP directory and Samba servers for logins in their network, and until now they have plain old packet forwarding for WWW access. They didn’t even had Squid caching as a transparent proxy, and they suddenly wanted to authenticate users against the directory, and give particular access to users of certain groups.

Luis was working on this using winbind and ntlm_auth in Squid (all from their corresponding packages in Sarge) and he was using the --require-membership-of stanza on auth_param. So his configuration was basically:

  • An authentication required ACL: acl whocares auth_proxy REQUIRED
  • Two authenticators (auth_param) using winbind (one for basic and one for digest) with the ntlm_auth utility, and specifying the SID of the group.
  • Repeat the last step for every group wanted to have access to the proxy
  • http_access rules involving the ACL made in step 1

This approach didn’t work as it meant to be used, since only the first authenticator worked. Seems like Squid parses the list of authenticators and only work with the first one. So only one group can be allowed to use the proxy this way, as far as I understand. I googled a bit through some Russian forums and started solving some problems with winbind and Samba themselves: no domain separators, no stanzas for winbind in the smb.conf (winbind use default domain = yes), bad mappings for uids and gids, etc.

Then I found out about, a Squid helper written in PerlOfCourse which can find out the group of a certain user trying to authenticate with the proxy. So I thought that maybe this way I could made specific acl’s for each group and even control other stuff in Squid using the group. I made this in this way:

  • An exteal ACL (the helper) defined as: exteal_acl_type nt_group ttl=0 concurrency=5 %LOGIN /usr/lib/squid/
  • An ACL that tries to match the helper with a group name: acl allowed exteal nt_group "Allowed Navigation"
  • Rulelists involving the above ACL
  • Repeat steps 2 and 3 for each group with special needs.

This is magically working, and I think there’s more flexibility with this than the other way, but I’m not an expert and I have questions that will be answered in this week, hopefully:

  • Do I need the proxy_auth REQUIRED ACL?
  • Is there another way to allow access for several groups using winbind and NTLM?
  • Why use winbind? Wouldn’t LDAP, SMB or other authenticators named in the Squid FAQ work?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s