[K12OSN] >
Barry Solof
barry at yellowdog.com
Mon Apr 12 15:33:08 UTC 2004
Hi,
This is the pdf on how to make squid authenticate to NDS. I owe Matt
White a lot for putting this out for other to use.
http://www.madriver.k12.oh.us/technology/whitepapers/squid-edirectory.pdf
************************************************************
Random ideas and notes...
"squid_ldap_auth" CAN be called from the command line for authentication
testing. Thats how I debugged the following line to put into squid.conf.
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b
o=ccn -u cn -s sub -D cn=ldap_proxy,o=ccn -f
"(&(&(objectClass=person)(cn=%s))(groupMembership=cn=Internet_Users,ou=groups,o=ccn))"
-h localhost -p 1212
Specifics
*******
o=ccn (ccn is our top context in NDS)
cn=ldap_proxy, o=ccn (ldap_proxy is our NDS proxy user setup as per
Novell documentation)
-f "(&(&... this filter tests the following:
objectclass=person
cn is the nds name typed in by the user
the user exists in our NDS group called "Internet_Users".
-h localhost (we run stunnel from the squid server to NDS to encrypt
passwords).
For stunnel to work, we have the following in /etc/rc.d/rc.local:
stunnel -c -d localhost:1212 -r nds.server.ip.number:636
The killer for us was including the group "Internet_Users" in the
filter. We don't allow all our users to get to the net and we used to
grant access via Bordermanager using this group. Now that we use squid
instead of Bordermanager we *still* grant access to the internet users
by including them in this group. This one made the techs very happy.
Finally, we limit the users to one ip number at a time. This prevents
one user from giving out their NDS name and password to friends (who
don't have Internet access). It allows a user to login from any IP
address but will then deny access to the same user trying to
authenticate from a different IP address. Its basically a "first person
in - wins" scheme, so if the first user gives a second user their login
credentials and the second user logs in, the first user will be denied
services.
acl manypcs max_user_ip -s 1
http_access deny manypcs
This helps keep our staff honest and keeps the personnel folks happy.
Personnel insists that we don't give Internet access to everybody.
Trust me, I've tried to change this policy because in our situation (a
government office) giving everyone access isn't a big deal like it would
be in a school system.
So there are the basics. If it isn't totaly clear, forgive me. We
spent the last few days putting several coats of finish on the living
room floor and my thinking isn't what you'd call sharp right now.
Everything smells like polyurathane right now...
Barry
More information about the K12OSN
mailing list