{"id":935,"date":"2013-08-24T00:43:58","date_gmt":"2013-08-23T22:43:58","guid":{"rendered":"http:\/\/diablo.craem.net\/wordpress\/?p=935"},"modified":"2013-08-24T00:43:58","modified_gmt":"2013-08-23T22:43:58","slug":"squid3-openldap-debian","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=935","title":{"rendered":"Squid3 + openLdap Debian"},"content":{"rendered":"<p>Hace unos d\u00ed\u00adas, me toc\u00f3 usar squid contra openLdap para autentificar los usuarios. A priori, es bastante m\u00e1s f\u00e1cil que contra un active directory, ya que no hace falta ni kerberos, samba ni windbind.<br \/>\nPartimos de la base que ya tenemos el openLdap funcionando correctamente y nuestro squid tambi\u00e9n&#8230; as\u00ed\u00ad que ahora, editamos el fichero <strong>\/etc\/squid3\/squid.conf<\/strong> y lo dejamos tal que:<br \/>\n<code><br \/>\nauth_param basic program \/usr\/lib\/squid3\/squid_ldap_auth -b \"dc=craem,dc=net\" -f \"uid=%s\" -h 192.168.2.5<br \/>\nauth_param basic children 30<br \/>\nauth_param basic realm Servidor Proxy cRAeM<br \/>\nauth_param basic credentialsttl 6 hours<br \/>\nauth_param basic casesensitive off<br \/>\nacl usuariosLdap proxy_auth REQUIRED<br \/>\nhttps_access allow usuariosLdap<br \/>\nhttps_access deny all<br \/>\n<\/code><br \/>\nAntes de todo, miraremos si tenemos el fichero <strong>\/usr\/lib\/squid3\/squid_ldap_auth<\/strong> y probamos si el ldap funciona correctamente, haciendo la siguiente prueba:<br \/>\n<code><br \/>\nroot@proxy:\/etc\/squid3# \/usr\/lib\/squid3\/squid_ldap_auth -b \"dc=craem,dc=net\" -f \"uid=%s\" 192.168.2.5<br \/>\n<\/code><br \/>\nLe damos al intro y ponemos un user y password:<br \/>\n<code><br \/>\nroot@netflow:\/etc\/squid3# \/usr\/lib\/squid3\/squid_ldap_auth -b \"dc=craem,dc=net\" -f \"uid=%s\" 192.168.2.5<br \/>\nusuario password<br \/>\nOK<br \/>\n<\/code><br \/>\nSi sale Ok, entonces es que funcionar\u00e1.. sin\u00f3, pues es que faltar\u00e1 alguna librer\u00ed\u00ada o similar<br \/>\nEl primer par\u00e1metro: <strong>auth_param basic children<\/strong><br \/>\nIndica el n\u00famero m\u00e1ximo de procesos de auth concurrentes&#8230; ojo si tenemos muchos usuarios y colocamos un n\u00famero bajo, aunque no deber\u00ed\u00ada ser problema.<br \/>\n<strong>auth_param basic realm Servidor Proxy cRAeM<\/strong><br \/>\nEs lo que saldr\u00e1 en la ventanita de user \/ pass &#8230; me gusta tenerlo personalizado \ud83d\ude09<br \/>\n<strong>auth_param basic credentialsttl 6 hours<\/strong><br \/>\nB\u00e1sicamente, el tiempo que tendr\u00e1 cacheada nuestras credenciales<br \/>\n<strong>auth_param basic casesensitive off<\/strong><br \/>\nPues eso<br \/>\nEl resto:<br \/>\n<code><br \/>\nacl usuariosLdap proxy_auth REQUIRED<br \/>\nhttps_access allow usuariosLdap<br \/>\nhttps_access deny all<br \/>\n<\/code><br \/>\n<strong>acl usuariosLdap proxy_auth REQUIRED <\/strong><br \/>\nDefinimos la acl usuariosLdap con autenticaci\u00f3n requerida<br \/>\n<strong>https_access allow usuariosLdap<br \/>\nhttps_access deny all<br \/>\n<\/strong><br \/>\nPermitimos el acceso a los usuarios autentificados y el resto&#8230; deny<br \/>\nEnjoy your ldap + squid<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hace unos d\u00ed\u00adas, me toc\u00f3 usar squid contra openLdap para autentificar los usuarios. A priori, es bastante m\u00e1s f\u00e1cil que contra un active directory, ya que no hace falta ni kerberos, samba ni windbind. Partimos de la base que ya tenemos el openLdap funcionando correctamente y nuestro squid tambi\u00e9n&#8230; as\u00ed\u00ad que ahora, editamos el fichero [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,8],"tags":[58,134,177],"class_list":["post-935","post","type-post","status-publish","format-standard","hentry","category-linux","category-varios","tag-debian","tag-openldap","tag-squid"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/935","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=935"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/935\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=935"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=935"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=935"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}