Squid3 LDAP Group Membership Helper

Here are the lines I use to create a acl based on an already authenticated users LDAP group membership. Keep in mind the helper used here is not for authentication it just uses the user account already authenticated with another helper and queries for the Group Membership. This First Part is all one line:

external_acl_type ldap_group %LOGIN /usr/lib/squid3/squid_ldap_group -R -P -b rator"dc=DOMAIN,dc=COM" -D "cn=administrator,cn=Users,dc=DOMAIN,dc=COM" -w "PASSWORD" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou="groups",dc=DOMAIN,dc=COM))" -h DOMAINCONTROLLERIP

Let Break this all down into chewable parts:

external_acl_type – This is a special acl that defines an external helper program used to identify the user or device

ldap_group – name I gave the external acl

%LOGIN – Authenticated User Name

/usr/lib/squid3/squid_ldap_group – Location of the helper program

-R  – do not follow referrals

-P   – Keeps a persistent connection with the LDAP server, speeds up query for membership when there are a lot of users using the proxy server 

-b   rator”dc=DOMAIN,dc=COM” – Base Domain to start looking in

-D “cn=administrator,cn=Users,dc=DOMAIN,dc=COM”  -Domain User account used to login to the Domain Controller

-w  “Password”   – Password, this can also point to another file with the password in it “/etc/pw”

 -f “(&(objectclass=person)(sAMAccountName=%v)  – This Part parse the username that was already authenticated in Squid via another helper

(memberof=cn=%a,ou=”groups”,dc=DOMAIN,dc=COM))” – The most important part, I would point this to the OU where you store your groups squid uses, %a will pull the group name from the acl line posted later

-h DOMAINCONTROLLERIP,  This one is self explanitory point it to the authentication server of choice.

Here is what the ACL line would look like. You can create multiple group acl lines that use the same single query above

acl SQUID_ACL_GROUP  external ldap_group GROUP_FROM_LDAP

So to break this down:

SQUID_ACL_GROUP – would be the name you give this acl to be used later

external ldap_group – points this at an external acl ldap_group that I listed earlier

GROUP_FROM_LDAP – This is the group the acl will query for using LDAP and will fit into %a




About Paul Cardelli, CISSP
Cyber Security Analyst, and computer guru

2 Responses to Squid3 LDAP Group Membership Helper

  1. Tebano says:

    I’m receiving the following error:

    FATAL: ERROR: Invalid ACL: acl SQUID_ACL_GROUP external ldap_group GROUP_FROM_LDAP

    Can You help me?

    • NovaSam says:

      I’m assuming you already built out the “external_ldap_group” previously, just replace “group_from_LDAP” with one in your ldap or Active Directory implementation.

      For example a valid ACL might be:

      acl accounting_group external ldap_group Accounting

      Just make sure Accounting exist, and that you correctly built the ldap_group previously. You can then use accounting_group in your other ACLs as needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: