Squid + Active Directory

  • How can I authorize fpSense's squid against AD?
    LDAP, NT Domain doesn't work out-of-box.

    Any method is fine. What should i do? nothing works :(


  • This was never completed by the original package author.  If you want this functionality, I suggest you put together a bounty for it.

  • After browsing arount the forum and searching, I still really cant find an answer to if the ldap auth works with squid or not. Some people seems to say that yes it works, and other as in this post that it is not completed. If I try enable it it indeed shows the dialog box but, doesent take my credentials. I´ve used this as an guide.

    Here is the setup that it currently working for me!!

    Authentication method - LDAP
    LDAP version - 3
    Authentication server - (windows server IP address)
    LDAP server user DN - cn=administrator,cn=Users,dc=yourdomain,dc=co,dc=za
    LDAP password - (your password for the administrator account)
    LDAP base domain - dc=yourdomain,dc=co,dc=za
    LDAP search filter - sAMAccountName=%s

    I´m running PFsense 1.2.2
    built on Thu Jan 8 22:39:31 EST 2009

    So, any info from the admins or developers. Is LDAP auth towards 2003 server implemented in the squid package or not?

  • Why do people insist on using the domain administrator account for LDAP lookups to AD it is not and never has been required.

    AD is set to not allow anonymous lookups but all you need in there is an unprivileged standard account. Using the admin account in unencrypted format shows a serious disregard for security.

    The link is to a MS howto for AD as on large installs of over 1k users there are problems with returned results. It includes altering AD to allow anonymous lookups


  • Thanks! Okey.

    But, still, do PfSense and Squid work with ldap auth?

  • Yes the squid package on pfsense can be configured to popup an authentication box to AD but not to do NTLM pass-through as this requires winbind and a full samba install.

  • Okey! Great! Thanks for the answer.

Log in to reply