Webproxy auth on Windows PDC

o_krah · June 21, 2015, 9:58am

Friends… It’s possible to integrate the web proxy with users and groups from windows active Directory ?

giacomo · June 22, 2015, 8:53am

Yes it is but only for users, not groups.
I just realized there is no real documentation about it.

But you can use the AD authentication within the proxy and you also can use users from AD for web filter profiling.

o_krah · June 22, 2015, 11:30am

Right, go to details, I can integrate with ad, but the proxy every time ask by user and pass and not pass the rules, and show me the message: proxy cache access denied, after multiple times…

enzoturri · June 22, 2015, 11:41am

Hi, some time ago I used the squid proxy with authentication on AD. It worked fine using groups.
if I remember correctly you have to set the group used by Squid as the user primary group (of users) in AD (under member of)

I have not tried it on Nethserver (I will try in the future).
.

enzoturri · June 24, 2015, 8:17pm

Well, I ran some tests for this scenario.

I configured NS as a domain member (server AD is Win8R2) and I activated the authenticated proxy mode.
AD Users open web pages without popup authentication.

Some settings to note: the DNS proxy must be the domain’s DNS server (normally the server AD), the proxy in the browser must be the proxy full name (FQN) (not the IP)
I had problems with client windows installed on hyper-v

For your problem look files /var/log/squid/cache.log and access.log for errors.

tail -f /var/log/squid/cache.log

After using the external acl named ext_wbinfo_group_acl I set the navigation for a single AD group.

I added these lines after the section
Additional NTLM auth for Windows XP clients in ADS mode

external_acl_type nt_group% LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
acl WebYesACL external nt_group WebYes
http_access allow WebYesACL

and commented (#)

http_access allow localnet authenticated

(Where WebYes is the domain group)
It works.

You can create multiple acl for most groups and combine them to set permissions

The only problem occurs when you reconfigure the proxy from Web Consolle that deletes lines added by hand.

Any opinion for this configuration?

zamboni · June 24, 2015, 8:30pm

I’m not a guru… the only suggestion I give you is to read the dev’s manual and use a custom fragment to make your editing permanent

in any case, well done, interesting job

enzoturri · June 24, 2015, 8:42pm

Thanks, I found the manual and I proceed to read it

enzoturri · June 24, 2015, 9:14pm

@giacomo I had same problem now solved. See also this post