Squid authentication via OS X Profile Manager and Active Directory

Updated on 6-Nov-13 for OS X Server 3.0 on Mavericks

My last post was about getting access to OS X Server’s Profile Manager database; this post is about doing something useful with it.

Hypothesis: given live access to data from Profile Manager and Active Directory, it should be easy to write a Squid external_acl_type helper that maps incoming IP addresses to usernames. An optional check for group membership? Trivial. Amirite?!

I was half-right. The lookups weren’t hard, but getting the helper to terminate when Squid wanted it to, and to NOT terminate prematurely, required a little trial-and-error. Turns out Squid keeps its helpers alive by sending them empty lines, so terminating on empty input isn’t such a good idea.

Anyway, here’s the code that has our iPad fleet “authenticating” with our Squid proxy server transparently. It’s been tested on Linux (Ubuntu 12.04 LTS) and OS X. Yes, Python would have been better than PHP, but I’m more fluent in PHP, and the PHP CLI interpreter is efficient enough for this purpose.

Update 23-Dec-2014: this script is now hosted on GitHub.

To use it in squid.conf (assuming you’ve pulled it down to /opt/git/extensions/squid/external_auth.php):

external_acl_type external_auth ttl=300 negative_ttl=5 children-startup=10 children-max=40 children-idle=10 ipv4 %SRC %MYPORT /opt/git/extensions/squid/external_auth.php

acl Apple_Devices external external_auth
acl Staff_Apple_Devices external external_auth staff
acl No_Filter_Devices external external_auth no_filter
acl No_Access_Devices external external_auth no_access

The “staff”, “no_filter” and “no_access” values map to $SQUID_LDAP_GROUP_DN in the configuration file – customise as needed (many groups may be defined).

Finally, use your new acls in some access rules, e.g.:

http_access allow localnet Staff_Only_Websites Staff_Apple_Devices
http_access deny localnet Staff_Only_Websites Apple_Devices

Questions? Errata? Do comment.