HPE Community
Operating System - Linux
1752509 Members
5006 Online
108788 Solutions
New Discussion

Re: Need to integrate Active directory group with Linux proxyserver

 
Sreer
Valued Contributor

‎01-07-2013 10:24 AM

‎01-07-2013 10:24 AM

Need to integrate Active directory group with Linux proxyserver

Hi Gurus,

 

I have a proxy server running in my Linux server. My requirement is to integrate the  windows AD group [say 50 members]

 

to this proxy. & those users shoud be able to access few  filtered sites.Could you tell me how can i implement this. iam new to proxy server environment.

 

Thanks in advance for your help.

 

Rgds

Sree

0 Kudos
Reply
1 REPLY 1
Matti_Kurkela
Honored Contributor

‎01-07-2013 02:35 PM

‎01-07-2013 02:35 PM

Re: Need to integrate Active directory group with Linux proxyserver

First, you'll need to identify the name and version of the proxy server software. Assuming that you are talking about a web proxy, then Squid ( http://www.squid-cache.org/ ) is a commonly used one.

 

Second, you'll need to know the protocol(s) your client browsers can use to send authentication information to the proxy. Since you are talking about AD groups, your clients are probably Microsoft Windows systems, and the appropriate protocols are NTLM and HTTP Negotiate (also known as SPNEGO). Of these two, NTLM is old and ugly: unless you must maintain clients with browsers older than IE 5.01, you should primarily use Negotiate.

 

Within Negotiate, there can be two sub-protocols: Negotiate/Kerberos and Negotiate/NTLM. In modern AD environments, Negotiate/Kerberos seems to be the preferred one.

 

It would be nice to offer basic authentication too, as an ultimate fallback option: who knows, some day the CEO might buy the newest iPad 9/Nexus 9000 tablet or some other Cool Thing and want you to make it work in the company WLAN.

 

Third, your proxy server needs to be authorized by the AD administrators to access the authentication information. The AD won't allow just anyone access the authentication information: the proxy server needs to have a "computer account" in the AD. That's something you need to do with the AD administrator.

To make Kerberos work, your proxy server needs to have its clock in correct time, so implementing NTP time synchronization is a good idea.

 

If your web proxy software is Squid, then start reading here:

http://wiki.squid-cache.org/Features/Authentication

http://wiki.squid-cache.org/Features/NegotiateAuthentication

 

This seems to be a complete list of configuration steps for Squid version 3 and AD. It's written for Debian Linux, but the configuration should be very similar for other Linux distributions too:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

MK
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.