Squid and active directory



  • I would like to know has anyone here integrated Squid Proxy with Active Directory? I am interested in using Pfsense for filtering however being able to filter by user name or user groups is really a big deal. Anyway if you have accomplished this please let me know.



  • somehow this person http://ufb.mtaspiring.school.nz/Downhome/Filtering
    accomplished it but tell you the truth I personally dont like mixing AD with other services

    If you wanted filter htps/http WPAD by username you should create static IP on windows server (DHCP)(DNS)  and put users 192.168.1.1-192.168.1.20 in  users unlimited access  and the rests in users limited.



  • You are suggesting to configure filter rules by ip address range. Filtering by IP is ok but if you have an AD configuration being able to do this by user name and group is a lot more flexible.  In our work environment we accomplish these task by using Websense which is now being replaced by Palo Alto. I know sophos can do this I have a Sophos test box setting under my desk. However, Sophos feels slow so that's why I'm looking at PF.



  • Use LDAP, the guide provided in that link from killmasta93 looks like it would work if you have an AD…  Only downside I can potentially see is that users will have to log into the proxy anytime they go to connect.

    I haven't experminted with it my self, but it looks like this coming year, I will have to since I am getting ready to deploy AD for a small private school, stupid kids keep breaking things and I have issues finding out which.



  • C0RR0SIVE I am going to configure a test virtual machine to see if I can get this to work. However, believe me users are not going to be happy when they have to log in it has to be integrated.



  • I also wanted to implement this, but the requirement for users to login every time they had to access the proxy/internet killed it for me. I was hoping to get the machines to authenticate rather than the users as a possible workaround, but also no dice.

    So you either have them authenticate against the proxy or switch to IP range filtering as suggested earlier.



  • I think this can be integrated into AD using Keberos, Winbind, and Samba. I am doing research on this now I will post back what I find out.  I wonder can I install these packages on Pfsense or is it just best to build a CentOS server.



  • Indeed:

    • from Squid perspective, relying on AD is nothing more than implementing LDAP support (although AD, as an LDAP server has some specific aspects)
    • if you don't want to be prompted for authentication, Kerberos (especially in Microsoft domain environment) is the right solution. But this doesn't come out of the box because all browsers are not yet ready to support Kerberos.

    This means you need Squid to support Kerberos (available since 2.6) and also your browser to be able to use such mechanism, which is not that obvious.


Log in to reply