EFW Support

Support => General Support => Topic started by: zibra on Tuesday 07 September 2010, 02:31:17 am



Title: Squid Proxy authentication based ldap group!
Post by: zibra on Tuesday 07 September 2010, 02:31:17 am
Hi community,
I'd like to authenticate users for accessing Internet via Endian Proxy based group (Using OpenLDAP). I'm using EFW 2.4. I can query groups in my LDAP server from Endian but I can't control accessing Internet by group on LDAP. This is ldif file for a group on my LDAP Server.

dn: cn=Internet,ou=Group,dc=domain,dc=com
userPassword: {crypt}x
objectClass: top
objectClass: posixGroup
cn: Internet
gidNumber: 501
memberUid: user01
memberUid: user02

I've created Access Policy to accessing Internet based group but it didn't effect. At present, Anyone who can authenticate to LDAP server, they can access to Internet. I only want users which belong to Internet group, can access to Internet.

Please give any recommendations.

Many thanks for your regards,


Title: Re: Squid Proxy authentication based ldap group!
Post by: mrkroket on Tuesday 07 September 2010, 06:52:33 am
Check HTTP Proxy Mode. you must set it as non-transparent
Clients are configured to use non transparent proxy?
If yes, delete any http rule on Outgoing firewall.

Endian has two Proxy modes:
-Non-Transparent: You need to reconfigure all your clients to use the HTTP proxy (by default on port 8080). The HTTP proxy doesn't manage the port 80 (HTTP port), it is managed by the Outgoing firewall. So if you have any rule that permits traffic via TCP 80, users can browse via port 80, unrestricted and without proxy.
-Transparent: Endian intercepts HTTP traffic on port 80, so you don't need to reconfigure the client's browser to use proxy. The HTTP proxy manages the port 80 (HTTP port), overriding any rule on the Outgoing firewall.


Title: Re: Squid Proxy authentication based ldap group!
Post by: zibra on Wednesday 08 September 2010, 01:09:20 am
Hi mrkroket,
Thanks for your information.
I'm using Non-transparent Proxy Mode. I've authenticated user to my proxy via openldap. Each time, users want to access to Internet, they must login ldap username/password to authenticate with ldap server. After authenticated, they can access to Internet. These are operating very well. However, I want to restrict accessing to Internet which based ldap group. Only users which belong to ldap group can authenticate and access to Internet, Users which not belong to ldap group, they can't authenticate and access to Internet.

Many thanks,


Title: Re: Squid Proxy authentication based ldap group!
Post by: zibra on Wednesday 06 October 2010, 06:15:30 am
Any ideal? ???


Title: Re: Squid Proxy authentication based ldap group!
Post by: mrkroket on Wednesday 06 October 2010, 06:21:01 am
I'm sorry I only used Active Directory, which is pretty straightforward. Just add users to a group and use that group on a rule.

Do you have your LDAP groups on Endian? Can you assign a group on a rule?


Title: Re: Squid Proxy authentication based ldap group!
Post by: zibra on Wednesday 06 October 2010, 03:17:26 pm
Yes, I can do that. I can see the ldap groups in Endian and assign the group to rule. But the users not belong to Internet group still can authenticate and access to Internet.

Thanks for your regarding,