Squidguard advanced source ACL ldap group lookup
-
pfSense is great and I love the packages. Big thanks to all who work on pfSense and thanks in advance for any help or ideas you can provide about my question.
Our Setup
We are using pfSense and squid proxy + squidguard because we need advanced ACL rules to allow access to specific sites based on time and user.PROBLEM
I would like to grant different privileges (sites they can access) to different users based on an ldap lookup against our Active Directory server based on group membership. It is not necessary for all users to authenticate to use the proxy and I already have that to working anyway - Squid authenticates just fine with our AD just fine.I need to create a "client source alc" in the squidguard gui that creates a rule that looks something like this:
src Internet_Users {
ldapusersearch ldap://gc.domain.com:3268/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}Or find out how to edit the .conf file manually in a way that wont overwrite it everytime I make changes in the gui.
I think I could make it work with a standard squid + squidguard setup in linux instead of just pfSense. Or a pfSense + linux squid proxy solution like this: http://linuxforge.wordpress.com/2010/11/26/how-to-pfsense-external-squid-transparent-proxy-dansguardian/
I would also be okay using NTLM (in some ways it would be really nice) but groups with different access is a MUST.
Here are some articles that contain examples of what I think we would like to do but how to implement it in pfSense is the question?
http://workaround.org/squid-ldap
http://www.streamreader.org/serverfault/questions/139544/squidguard-and-active-directory-groups
http://etutorials.org/Server+Administration/Squid.+The+definitive+guide/Chapter+12.+Authentication+Helpers/12.5+External+ACLs/Below is an example from the last link I was wondering about but I don't know how to implement it pfSense
ldap_group
./configure enable-external-acl-helpers=ldap_group
This helper determines whether or not a user belongs to a particular LDAP group. You specify the LDAP group names on the acl line. It might look like this in your configuration file:
external_acl_type ldap_group_helper %LOGIN /usr/local/squid/libexec/squid_ldap_group
-b "ou=people,dc=example,dc=com" ldap.example.com
acl AclName external ldap_group_helper GroupRDN …
Note that you must have the OpenLDAP (http://www.openldap.org) libraries installed on your system to compile the squid_ldap_group helper program.
Thanks again
-
SquidGuard has a section on using LDAP group membership for ACLs
http://www.squidguard.org/Doc/authentication.html
However you cannot join a PFSense box to the AD as you would need to install a load of samba stuff and this is first and foremost a firewall, so I wouldn't recommend it. You will have to alter the examples given in the SquidGuard documentation and a user would be required to authenticate to LDAP for access.
-
Thanks for the response.
Yes, that is correct, I want the user to be required to authenticate only if they try to go to a restricted site.
For example, if a user navigates to http://someSiteThatIsRestricted.com it would prompt for a user name and password. If they are in a group in Active Directory that is allowed to go to that site it will of course let them otherwise they are redirected to a block page that tells them the reason.
Thanks for the link. I have looked at that before but how do you do that in pfSense? I'm running a separate install to test with so I want to know how to do it even if it is not as secure and then I can decide whether to use a dedicated proxy instead of using pfsense for that.
It is nice to be able to add functionality to pfSense through the packages because that allows for a more secure setup by default and the flexibility to customize it to fit almost any environment.