Squid authentication against Active Directory
Following up with integrating AD with Linux, I thought of configuring squid to authenticate users against Active Directory. I am still using my late vmware machines.
My target is to prohibit Active Directory users from abusing the network resources (such as watching youtube videos during work hours). First, I thought of putting squid as a transparent proxy in the network with authentication, but it couldn't be done here is why.
So I had to create a Group Policy in Active Directory that prohibits the users from changing the LAN settings as well as forcing internet explorer to use Squid as it's proxy server and prohibiting users from changing their proxy settings in internet explorer. This will ensure that users cannot change their network settings and be forced to use Squid.
Okay, less talk more work!
First start by installing Squid3...
# apt-get install squid3 squid3-cgi squid3-common
Then make sure Squid can communicate with Active Directory
# /usr/lib/squid3/squid_ldap_auth -v 3 -P -R -u cn -s sub -b basedn -D binddn -w bindpasswd -f "(&(sAMAccountName=%s))" -h server
At this step, you will get an empty command line, test the authentication for a user by entering the username followed by a space then the password
Illustration...
# /usr/lib/squid3/squid_ldap_auth -v 3 -P -R -u cn -s sub -b "dc=win2k3,dc=example,dc=com" -D "cn=Squid,cn=Users,dc=win2k3,dc=example,dc=com" -w "password" -f "(&(sAMAccountName=%s))" -h win2k3.example.com
ahmed mySECRETpassword
OK
ahmed blaBLAbla
ERR Invalid credentials
^C
Then configure squid...
# vi /etc/squid3/squid.conf
# OPTIONS FOR AUTHENTICATION
auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -P -R -u cn -s sub -b "dc=win2k3,dc=example,dc=com" -D "cn=Squid,cn=Users,dc=win2k3,dc=example,dc=com" -w "password" -f "(&(sAMAccountName=%s))" -h win2k3.example.com
auth_param basic children 2
auth_param basic realm Example.com
auth_param basic credentialsttl 2 hours# Defining an Access List
acl example src 192.168.0.0/16
acl ldapauth proxy_auth REQUIRED# Allowing or Denying access based on defined access lists
http_access allow ldapauth
http_access allow example
Save, exit, and restart squid, and test.
Now when a user authenticated against Active Directory, is placed in the Group Policy opens internet explorer, he will be prompted to enter his active directory username and password.
Searching Active Directory with ldapsearch
Okay, so I decided to carry on through journey of integrating AD with Linux. When I got AD working after my last post, I added a user for the testing purposes. And I needed to start browsing AD from Linux, so I installed ldapscripts package which provides ldapsearch utility for searching into LDAP (in the end Active Directory is an LDAP-like directory service).
# apt-get install ldapscripts
And here’s the magic syntax,
# ldapsearch -x -LLL -E pr=200/noprompt -D "cn=Administrator,cn=Users,dc=win2k3,dc=example,dc=com" -W -H ldap://win2k3.example.com:389 -b "cn=users,dc=win2k3,dc=example,dc=com" -s sub "(cn=*)" cn mail sn
And the result was
dn: CN=Users,DC=win2k3,DC=example,DC=com
cn: Usersdn: CN=Administrator,CN=Users,DC=win2k3,DC=example,DC=com
cn: Administratordn: CN=Guest,CN=Users,DC=win2k3,DC=example,DC=com
cn: Guestoutput omitted
dn: CN=Ahmed O. Anwar,CN=Users,DC=win2k3,DC=example,DC=com
cn: Ahmed O. Anwar
sn: Anwar
mail: ahmed@example.com# pagedresultscookie=
BIND and Active Directory
I thought of playing with BIND (debian etch) and Active Directory (Windows 2003) today, so I installed Windows 2003 Enterprise on a VMware, and started setting up an Active Directory role.
So anyway here is my named.conf...
output omitted
zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/master-zone.net";
};zone "0.0.10.in-addr.arpa" {
type master;
file "/etc/bind/cisco.lab";
};zone "example.com" {
type master;
file "/etc/bind/example.com";
};zone "win2k3.example.com" {
type master;
file "/etc/bind/db.win2k3.example.com";
check-names ignore;
allow-update { 192.168.0.200; };
};
output omitted
Note...
"check-names ignore" option is required to permit underscores in the DNS names.
"allow-update" will only allow updates from the IP (or ACL) specified.
Basically, I used the "Add or remove a role" and followed the steps, at the "DNS Registration Diagnostics" it failed, so I dropped to syslog and found out that Windows needs to make a number of SRV and A record changes in it's domain in order to relate where the Domain Controllers are using dynamic DNS.
Here is my log...
Oct 6 23:25:08 neptune named[32137]: client 192.168.0.200#1618: updating zone 'win2k3.example.com/IN': adding an RR at 'win2k3.example.com' A
Oct 6 23:25:08 neptune named[32137]: journal file /etc/bind/db.win2k3.example.com.jnl does not exist, creating it
Oct 6 23:25:08 neptune named[32137]: /etc/bind/db.win2k3.example.com.jnl: create: permission denied
Oct 6 23:25:08 neptune named[32137]: client 192.168.0.200#1618: updating zone 'win2k3.example.com/IN': error: journal open failed: unexpected error
Oct 6 23:25:08 neptune named[32137]: client 192.168.0.200#1622: updating zone 'win2k3.example.com/IN': adding an RR at '_ldap._tcp.win2k3.example.com' SRV
Oct 6 23:25:08 neptune named[32137]: journal file /etc/bind/db.win2k3.example.com.jnl does not exist, creating it
Oct 6 23:25:08 neptune named[32137]: /etc/bind/db.win2k3.example.com.jnl: create: permission denied
Oct 6 23:25:08 neptune named[32137]: client 192.168.0.200#1622: updating zone 'win2k3.example.com/IN': error: journal open failed: unexpected error
Oct 6 23:25:08 neptune named[32137]: client 192.168.0.200#1626: updating zone 'win2k3.example.com/IN': adding an RR at '_ldap._tcp.Default-First-Site-Name._sites.win2k3.example.com' SRV
Oct 6 23:25:08 neptune named[32137]: journal file /etc/bind/db.win2k3.example.com.jnl does not exist, creating it
Oct 6 23:25:08 neptune named[32137]: /etc/bind/db.win2k3.example.com.jnl: create: permission denied
output omitted
BIND here needed to create db.win2k3.example.com.jnl, but there was a permissions problem with /etc/bind, so I ...
# chown bind:bind /etc/bind
# chmod 760 /etc/bind
then jumped to windows, ran the test again, and "The operation completed successfully."
After that I restarted, and went to check BIND records and found out that they were updated and the .jnl file was created.
Testing and Verification
1. Start nslookup utility in interactive mode
2. Type set type=all
3. Type _ldap._tcp.dc._msdcs.win2k3.example.com
and my result was...
Server: ns.master-zone.net
Address: 192.168.0.3_ldap._tcp.dc._msdcs.win2k3.example.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = win2k3.win2k3.example.com
win2k3.example.com nameserver = ns.master-zone.net
win2k3.win2k3.example.com internet address = 192.168.0.200
ns.master-zone.net internet address = 192.168.0.3