Webproxy auth on Windows PDC


(felip) #1

Friends… It’s possible to integrate the web proxy with users and groups from windows active Directory ?


(Giacomo Sanchietti) #2

Yes it is but only for users, not groups.
I just realized there is no real documentation about it.

But you can use the AD authentication within the proxy and you also can use users from AD for web filter profiling.


(felip) #3

Right, go to details, I can integrate with ad, but the proxy every time ask by user and pass and not pass the rules, and show me the message: proxy cache access denied, after multiple times…


(Vincenzo Turri) #4

Hi, some time ago I used the squid proxy with authentication on AD. It worked fine using groups.
if I remember correctly you have to set the group used by Squid as the user primary group (of users) in AD (under member of)

I have not tried it on Nethserver (I will try in the future).
.


(Vincenzo Turri) #5

Well, I ran some tests for this scenario.

I configured NS as a domain member (server AD is Win8R2) and I activated the authenticated proxy mode.
AD Users open web pages without popup authentication.

Some settings to note: the DNS proxy must be the domain’s DNS server (normally the server AD), the proxy in the browser must be the proxy full name (FQN) (not the IP)
I had problems with client windows installed on hyper-v

For your problem look files /var/log/squid/cache.log and access.log for errors.

tail -f /var/log/squid/cache.log

After using the external acl named ext_wbinfo_group_acl I set the navigation for a single AD group.

I added these lines after the section
Additional NTLM auth for Windows XP clients in ADS mode

external_acl_type nt_group% LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
acl WebYesACL external nt_group WebYes
http_access allow WebYesACL

and commented (#)

http_access allow localnet authenticated

(Where WebYes is the domain group)
It works.

You can create multiple acl for most groups and combine them to set permissions

The only problem occurs when you reconfigure the proxy from Web Consolle that deletes lines added by hand.

Any opinion for this configuration?


(Stefano) #6

I’m not a guru… the only suggestion I give you is to read the dev’s manual and use a custom fragment to make your editing permanent

in any case, well done, interesting job


(Vincenzo Turri) #7

Thanks, I found the manual and I proceed to read it


(Vincenzo Turri) #8

@giacomo I had same problem now solved. See also this post