[K12OSN] >

Mon Apr 12 15:33:08 UTC 2004

Hi,

This is the pdf on how to make squid authenticate to NDS.  I owe Matt 
White a lot for putting this out for other to use.

http://www.madriver.k12.oh.us/technology/whitepapers/squid-edirectory.pdf

************************************************************
Random ideas and notes...

"squid_ldap_auth" CAN be called from the command line for authentication 
testing.  Thats how I debugged the following line to put into squid.conf.
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b 
o=ccn -u cn -s sub -D cn=ldap_proxy,o=ccn -f 
"(&(&(objectClass=person)(cn=%s))(groupMembership=cn=Internet_Users,ou=groups,o=ccn))" 
-h localhost -p 1212

Specifics
*******
o=ccn     (ccn is our top context in NDS)
cn=ldap_proxy, o=ccn   (ldap_proxy is our NDS proxy user setup as per 
Novell documentation)
-f "(&(&...    this filter tests the following:
   objectclass=person
   cn is the nds name typed in by the user
   the user exists in our NDS group called "Internet_Users".
-h localhost   (we run stunnel from the squid server to NDS to encrypt 
passwords).

For stunnel to work, we have the following in /etc/rc.d/rc.local:
  stunnel -c -d localhost:1212 -r nds.server.ip.number:636

The killer for us was including the group "Internet_Users" in the 
filter.  We don't allow all our users to get to the net and we used to 
grant access via Bordermanager using this group.  Now that we use squid 
instead of Bordermanager we *still* grant access to the internet users 
by including them in this group.  This one made the techs very happy.

Finally, we limit the users to one ip number at a time.  This prevents 
one user from giving out their NDS name and password to friends (who 
don't have Internet access).  It allows a user to login from any IP 
address but will then deny access to the same user trying to 
authenticate from a different IP address. Its basically a "first person 
in - wins" scheme, so if the first user gives a second user their login 
credentials and the second user logs in, the first user will be denied 
services.

acl manypcs max_user_ip -s 1
http_access deny manypcs

This helps keep our staff honest and keeps the personnel folks happy.  
Personnel insists that we don't give Internet access to everybody.  
Trust me, I've tried to change this policy because in our situation (a 
government office) giving everyone access isn't a big deal like it would 
be in a school system.

So there are the basics.  If it isn't totaly clear, forgive me.  We 
spent the last few days putting several coats of finish on the living 
room floor and my thinking isn't what you'd call sharp right now.  
Everything smells like polyurathane right now...

Barry