System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Need to integrate Active directory group with Linux proxyserver

 
Sreer
Valued Contributor

Need to integrate Active directory group with Linux proxyserver

Hi Gurus,

 

I have a proxy server running in my Linux server. My requirement is to integrate the  windows AD group [say 50 members]

 

to this proxy. & those users shoud be able to access few  filtered sites.Could you tell me how can i implement this. iam new to proxy server environment.

 

Thanks in advance for your help.

 

Rgds

Sree

1 REPLY
Matti_Kurkela
Honored Contributor

Re: Need to integrate Active directory group with Linux proxyserver

First, you'll need to identify the name and version of the proxy server software. Assuming that you are talking about a web proxy, then Squid ( http://www.squid-cache.org/ ) is a commonly used one.

 

Second, you'll need to know the protocol(s) your client browsers can use to send authentication information to the proxy. Since you are talking about AD groups, your clients are probably Microsoft Windows systems, and the appropriate protocols are NTLM and HTTP Negotiate (also known as SPNEGO). Of these two, NTLM is old and ugly: unless you must maintain clients with browsers older than IE 5.01, you should primarily use Negotiate.

 

Within Negotiate, there can be two sub-protocols: Negotiate/Kerberos and Negotiate/NTLM. In modern AD environments, Negotiate/Kerberos seems to be the preferred one.

 

It would be nice to offer basic authentication too, as an ultimate fallback option: who knows, some day the CEO might buy the newest iPad 9/Nexus 9000 tablet or some other Cool Thing and want you to make it work in the company WLAN.

 

Third, your proxy server needs to be authorized by the AD administrators to access the authentication information. The AD won't allow just anyone access the authentication information: the proxy server needs to have a "computer account" in the AD. That's something you need to do with the AD administrator.

To make Kerberos work, your proxy server needs to have its clock in correct time, so implementing NTP time synchronization is a good idea.

 

If your web proxy software is Squid, then start reading here:

http://wiki.squid-cache.org/Features/Authentication

http://wiki.squid-cache.org/Features/NegotiateAuthentication

 

This seems to be a complete list of configuration steps for Squid version 3 and AD. It's written for Debian Linux, but the configuration should be very similar for other Linux distributions too:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

MK