<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html><head>

<title>SquidGuard </title>

<meta name="keywords" content="Squidguard, Squid, Redirector, Proxy, Download, URL, Blacklist, Patches, Source, Software">

<meta name="distribution" content="global">

<link rel="Shortcut Icon" href="/favicon.ico" type="image/x-icon" />

</head>

<body bgcolor="#F0FFFF">

<table bgcolor="#001199" width=100%>

<tr><td bgcolor="#8EE5EE">



<center>

<h2><img alt="" src="/Logos/squidGuard.gif" align=middle> SquidGuard </h2>

</center>



<table border=0 bgcolor="#001199" width=100%>

<tr>

<th><a href="/index.html" target=_top><font color=white>HOME</font></a></th>

<th><a href="/download.html" target=_top><font color=white>Downloads</font></a></th>

<th><a href="/Doc/" target=_top><font color=white>Documentation</font></a></th>

<th><a href="/Devel/" target=_top><font color=white>Development</font></a></th>

<th><a href="/blacklists.html" target=_top><font color=white>Blacklists</font></a></th>

<th><a href="/Contrib/" target=_top><font color=white>Contributions</font></a></th>

<th><a href="/impressum.html" target=body><font color=white>Contact</font></a></th>

</tr>

</table>



<table border=0 width=100%>

<tr><td width=85% bgcolor="#8EE5EE" valign=top>





<br><br>
<h2> &nbsp; Using Authentication in SquidGuard</h2>
<br>
<center>
<table width=97%>
<tr><td align=left>

Sometimes it is convenient to allow different user a different
kind of access. SquidGuard has the possibility to decide based
on the username what this user may have access to.<br>
There are different ways how to setup user authentication:
<ul>
<li> defining users directly in squidGuard</li>
<li> using LDAP roles (this implies that you either use squidGuard 1.2.1 or
higher or have patched your squidGuard with the
<a href=" http://www.netdirect.ca/software/category.php?cat=SquidGuard">LDAP
patches from Chris Frey</a>; you may wish to read 
<a href="/Doc/ldap.html">Tips for using LDAP</a> to avoid problems).<li>
<li> retrieving users from a MySQL database (requires squidGuard 1.4
or higher) </li>
</ul>
In each case you must configure your squid proxy to perform user
authentication. In order to achieve this you must configure your squid to
authenticate your users. A simple way to add user authentication
to squid is the usage of the old ncsa_auth utility. By adding
the following three lines to your squid.conf you can enable
authenication:
<pre>
auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/squid.passwd
acl password proxy_auth REQUIRED
http_access allow password
</pre>
Please note that the path to your squid password file and to ncsa_auth
may differ on your system. While you can choose for yourself where
you want to put your squid password file, ncsa_auth has a fixed
location (use <em>find</em> or <em>locate</em> to obtain the correct
path).<br>
There are other means of authentication in squid as well. Please refer
to the <a href="http://www.squid-cache.org">squid site</a> for more
information.<br><br> 

<ol>
<li> <b>Defining users in squidGuard</b><br><br>

To grant access based on usernames you have two choices: you can 
explicitly name the users with the <tt>user</tt> tag in your squidGuard.conf
or you can enter the names to a file (recommended when dealing with
many usernames) and use the <tt>userlist</tt> tag. In both cases you
have to include the user definition within a source acl enviroment.
The next two examples show how to use the <tt>user</tt> and the
<tt>userlist</tt> tag:

<br><br>
<table width="75%" cellpadding="0" cellspacing="0" style="background-color: #f2fff0; border: solid 1px #4455bb;">
<tr>
<td style="background-color: #223499; border-bottom: 1px solid #888;"> 
<font size="-1" color=white>Including usernames in squidGuard.conf </font>
</td></tr>
<tr>
<td>
<pre> src department1 {
     user maria josef susanna micheal george1 
 }
</pre>
</td></tr>
</table>
<br>
In this example five users are grouped into the source <em> development</em>.
This source is used to grant or deny access to defined categories (see the 
acl definition after the next example).<br>
You can use numbers in usernames. Unfortunately there is currently a bug
in squidGuard giving errors when using usernames consisting entirely of
numbers. In this case use the <tt>userlist</tt> (see next example) to
regulate user access.
<br><br>
<table width="75%" cellpadding="0" cellspacing="0" style="background-color: #f2fff0; border: solid 1px #4455bb;">
<tr>
<td style="background-color: #223499; border-bottom: 1px solid #888;">
<font size="-1" color=white>Including userlists in squidGuard.conf </font>
</td></tr>
<tr>
<td>
<pre> src department1 {
     userlist dep1users
 }
</pre>
</td></tr>
</table>
<br>
In this example the squidGuard configuration points to a file, here called
dep1users, where the users can be found. The location of the userlist file
is relativ to the path of your defined <tt>dbhome</tt>.<br>
The userlist file is a normal text file of the following format:
<tt>
user1<br>
user2<br>
user3<br>
user4<br>
user5<br>
</tt>
and so on.<br><br>
Once you have defined your users you must configure which user(group)
has access to which destination. This is done in the <tt>acl</tt> part
of your squidGuard.conf:<br>
<br> 
<div style=width:700px;overflow:auto>
<table width="75%" cellpadding="0" cellspacing="0" style="background-color: #f2fff0; border: solid 1px #4455bb;">
<tr>
<td style="background-color: #223499; border-bottom: 1px solid #888;">
<font size="-1" color=white>Defining userbased access </font>
</td></tr>
<tr>
<td>
<pre> acl {
     department1 {
         pass !porn !hacking !warez all
         redirect http://localhost/cgi/blocked?clientaddr=%a&clientuser=%i&clientgroup=%s&url=%u
     }
     default {
         pass white none 
         redirect http://localhost/cgi/blocked?clientaddr=%a&clientuser=%i&clientgroup=%s&url=%u
     }
 }   
</pre>
</td></tr>
</table>
</div>
<br>
In this example the department1 user may access all websites except those
listed in the porn hacking and warez categories. All other users are only
allowed to access what is listed in the white category (whitelisting). Of
course you have to define the destinations before setting up the acl. :-)<br>

<br><br>
<li> <b>Using LDAP</b><br><br>
Like in the example before you have to specify in the <tt>src</tt>
enviroment where the user information can be found. Additionally
you have to define some LDAP specific tags: You must name the 
upper part of the LDAP directory tree and a password to access
the user information (unless you use anonymous bind, which due
to security considerations is not always recommended).<br>
The following LDAP specific tags exist:<br><br>

<table border=0 cellpadding=2 cellspacing=2>
<tr>
<td valign=top>ldapusersearch</td><td> This keyword goes in the <tt>src</tt> config block, and
                       specifies an LDAP URL to use to search for an unknown
                       user name.<br>

                       You can specify multple LDAP URLs per Source block.<br>

                       Use '%s' to reference the username in your LDAP URL.<br>

                       If the search returns a record, the user is considered
                       "found", otherwise the next URL in the same Source
                       block is tried.<br>

                       SquidGuard caches the "found" state of each search,
                       even when a user name is not found.  The cache
                       is valid for ldapcachetime seconds.</td>
</tr><tr>
<td valign=top>ldapcachetime</td><td> This global keyword specifies the number of seconds
                       to cache LDAP search results before contacting
                       the LDAP server again.  This keyword is global and
                       must go outside any Source/Destination/Rule blocks.<br>

                       Setting this value to a reasonably low value can
                       allow simulation of near-realtime user groupings
                       in LDAP without restarting squidguard.<br>

                       Recommended value: 300</td>
</tr><tr>
<td valign=top>ldapbinddn</td><td> This global keyword specifies the DN to bind to
                       the LDAP server as.</td>
</tr><tr>
<td valign=top>ldapbindpass</td><td> Password to bind to the LDAP server. This is a
                       global keyword.</td>
</tr><tr>
<td valign=top>ldapprotover</td><td> This denotes the LDAP protocol version. It is a global keyword.
                       Use this to force squidGuard to connect to the
                       LDAP server with a certain protocol version.  If
                       unable to use the specified protocol version,
                       squidguard will enter emergency mode.<br>
                       Valid values: 2 or 3</td>
</tr>
</table>
<br><br>
Example configuration:<br>
<br>
<div style=width:700px;overflow:auto>
<table width="75%" cellpadding="0" cellspacing="0" style="background-color: #f2fff0; border: solid 1px #4455bb;">
<tr>
<td style="background-color: #223499; border-bottom: 1px solid #888;">
<font size="-1" color=white>LDAP specific setting in squidGuard.conf </font>
</td></tr>
<tr>
<td>
<pre> ldapbinddn     cn=root, dc=example, dc=com
 ldapbindpass   myultrasecretpassword

 # ldap cache time in seconds
 ldapcachetime  300

 src my_users { 
     ldapusersearch  ldap://ldap.example.com/cn=squidguardusers,ou=groups,dc=example,dc=com?memberUid?sub?(&(objectclass=posixGroup)(memberUid=%s))
  }
</pre>
</td></tr>
</table>
</div>
<br>
When using LDAP for authentication make sure that the settings in your
ldapusersearch line correspond to the user settings 
in your LDAP server. If the usernames of your users are not saved in
"memberUid" but "uid" you have to adapt your ldapusersearch line 
accordingly. The same is true for the value you enter for "objectclass".
You probably habe something like "Person" or "InetOrgPerson" instead.<br>
If the values of ldapusersearch don't match your LDAP user configuration
setting the lookup will fail.
<br><br><br>

<li> <b>Retrieving users from MySQL</b><br><br>

(You need squidGuard version 1.4 or higher to use MySQL for
authentication.)<br>
Like in the examples mentioned above you need to specify the user
lookup in a <tt>src</tt> enviroment.<br>
To tell squidGuard to fetch the users from MySQL you have to provide
the following data:
<br><br>
<table border=0 cellpadding=2 cellspacing=2>
<tr>
<td valign=top>mysqlusername</td><td> This is the username used to connect and
		query the database. This is a global setting (meaning you 
		specify this outside of a <tt>src</tt> environment).
</tr><tr>
<td valign=top>mysqlpassword</td><td> This is the password for the user
		specified with <tt>mysqlusername</tt> to authenticate
		against the database. This is a global setting (meaning you
                specify this outside of a <tt>src</tt> environment).
</tr><tr>
<td valign=top>mysqldb</td><td> This is the datebase withing MySQL which
		holds the tables with the user data.
		This is a global setting (meaning you
                specify this outside of a <tt>src</tt> environment).
</tr><tr>
<td valign=top>userquery</td><td> With this setting you specify the sql
		query to be run to retrieve the usernames. This setting
		must be inside of a <tt>src</tt> environment declaration.
		<b>Attention:</b> The query must not be ended by a 
		trailing ";" and must not contain more than four
		statements.
</tr><tr>
</tr>
</table>

<br><br>
Example configuration:<br>
<br>
<div style=width:700px;overflow:auto>
<table width="75%" cellpadding="0" cellspacing="0" style="background-color:
#f2fff0; border: solid 1px #4455bb;">
<tr>
<td style="background-color: #223499; border-bottom: 1px solid #888;">
<font size="-1" color=white>MySQL specific setting in squidGuard.conf </font>
</td></tr>
<tr>
<td>
<pre> mysqlusername proxyadm
 mysqlpassword mysqlpassword
 mysqldb proxyuser

 src outer { 
 userquery select data from pusers
 }
</pre>
</td></tr>
</table>
</div>
<br>






</td></tr></table>

</td>
<td valign=top>
<br><br><br><br>

<a href="/Doc/index.html"><font color=black>Documentation</font></a>

<hr color="#001199">

<a href="/Doc/install.html"><font color=black>Installation</font></a>

<hr color="#001199">

Configuration</a>

<table border=0 cellspacing=1 cellpadding=1>

<tr><td>&nbsp;<a href="/Doc/configure.html"><font color=black size=-1>Getting started</font></a></td></tr>

<tr><td>&nbsp;<font size=-1>Destination ACLs</font></td></tr>

<tr><td>&nbsp;<font size=-1>Source ACLs</font></td></tr>

<tr><td>&nbsp;<a href="/Doc/redirect.html"><font color=black size=-1>Redirect Rule</font></a></td></tr>

<tr><td>&nbsp;<a href="/Doc/extended.html#times"><font color=black size=-1>Time Constraints</font></a></td></tr>

<tr><td>&nbsp;<a href="/Doc/authentication.html"><font color=black size=-1>Authentication</font></a></td></tr>

<tr><td>&nbsp;<a href="/Doc/expressionlist.html"><font color=black size=-1>Regular Expressions</font></a></td></tr>

<tr><td>&nbsp;<a href="/Doc/examples.html"><font color=black size=-1>Examples</font></a></td></tr>

</table>

<hr color="#001199">

<a href="runtimeops.html" target=body><font color=black>Runtime

Options</font></a>

<hr color="#001199">

<a href="aboutblocking.html"><font color=black>About blocking</font></a>

<hr color="#001199">

<a href="troubleshoot.html"><font color=black>Troubleshooting </font></a>

<hr color="#001199">

<a href="known_issues.html"><font color=black>Known Issues</font></a>

<hr color="#001199">

<a href="other_sources.html"><font color=black>Other Sources</font></a>

<hr color="#001199">



</td></tr>



</table>



<br><br>

<hr width=100%>

<font size=-2>

&nbsp; &copy; Powered by <a href="http://www.shalla.de/">Shalla Secure

Services</a> 2007-2008<br><br>

</font>

</td>

</tr>

</table>



</body>

</html>