Squid authentication via OS X Profile Manager and Active Directory

Updated on 6-Nov-13 for OS X Server 3.0 on Mavericks

My last post was about getting access to OS X Server’s Profile Manager database; this post is about doing something useful with it.

Hypothesis: given live access to data from Profile Manager and Active Directory, it should be easy to write a Squid external_acl_type helper that maps incoming IP addresses to usernames. An optional check for group membership? Trivial. Amirite?!

I was half-right. The lookups weren’t hard, but getting the helper to terminate when Squid wanted it to, and to NOT terminate prematurely, required a little trial-and-error. Turns out Squid keeps its helpers alive by sending them empty lines, so terminating on empty input isn’t such a good idea.

Anyway, here’s the code that has our iPad fleet “authenticating” with our Squid proxy server transparently. It’s been tested on Linux (Ubuntu 12.04 LTS) and OS X. Yes, Python would have been better than PHP, but I’m more fluent in PHP, and the PHP CLI interpreter is efficient enough for this purpose.

Update 23-Dec-2014: this script is now hosted on GitHub.

To use it in squid.conf (assuming you’ve pulled it down to /opt/git/extensions/squid/external_auth.php):

external_acl_type external_auth ttl=300 negative_ttl=5 children-startup=10 children-max=40 children-idle=10 ipv4 %SRC %MYPORT /opt/git/extensions/squid/external_auth.php

acl Apple_Devices external external_auth
acl Staff_Apple_Devices external external_auth staff
acl No_Filter_Devices external external_auth no_filter
acl No_Access_Devices external external_auth no_access

The “staff”, “no_filter” and “no_access” values map to $SQUID_LDAP_GROUP_DN in the configuration file – customise as needed (many groups may be defined).

Finally, use your new acls in some access rules, e.g.:

http_access allow localnet Staff_Only_Websites Staff_Apple_Devices
http_access deny localnet Staff_Only_Websites Apple_Devices

Questions? Errata? Do comment.

Under the hood: OS X Server’s Profile Manager

Updated on 6-Nov-13 for OS X Server 3.0 on Mavericks

Let’s say you’re running the MDM software Apple ship with OS X Server, Profile Manager. (You’ve chosen this because you don’t really need the fancy features of Casper and friends.)

Let’s say you’re also running other services that would benefit from live access to Profile Manager’s device metadata, e.g. a Squid proxy that implements MAC-based iOS authentication (because proper proxy authentication has been broken on iOS since forever). “An external_acl_type that could check enrolled device MAC addresses be super-awesome!” you say to yourself.

Where to start?

Turns out, Profile Manager data lives in an embedded PostgreSQL database, and opening it up for remote access is relatively straightforward.

First, you’ll need to modify /Library/Server/ProfileManager/Config/PostgreSQL_config.plist (note: this path has changed in Server 3.0) to enable access over TCP/IP (by default, postgres only listens on a UNIX socket). Edit the existing listen_addresses= entry, and add the last two lines:

<string>-c</string>
<string>listen_addresses=OSX_SERVER_LAN_IP</string>
<string>-c</string>
<string>port=5432</string>

Note: Server 3.0 creates multiple instances of PostgreSQL, one for each service that depends on it, all on different UNIX sockets. Just in case another instance opens PostgreSQL for TCP connections on localhost, I recommend binding the Profile Manager instance to a LAN-facing IP. Alternatively, you could use a non-standard port.

Then tell postgres that any host on your network is allowed to connect with an encrypted password, by adding a line like this to /Library/Server/ProfileManager/Data/PostgreSQL/pg_hba.conf (note: changed in Server 3.0):

host all all 192.168.0.0/16 md5

Almost done! Now you just need to set up a postgres user to connect as. Start by opening a psql session:

sudo -u _devicemgr psql -h /Library/Server/ProfileManager/Config/var/PostgreSQL devicemgr_v2m0

(This entire command has changed in Server 3.0; note particularly the new database name.)

Then you’ll probably want to run a couple of commands like:

CREATE USER squid WITH PASSWORD 'XXXX';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO squid;

If you want to create a more privileged user:

CREATE USER dbadmin WITH PASSWORD 'XXXX';
GRANT ALL ON ALL TABLES IN SCHEMA public TO dbadmin;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO dbadmin;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA public TO dbadmin;

Reboot the server and test with pgAdmin or some other PostgreSQL admin tool.

Oh, and don’t blame me if you break your Profile Manager, or Open Directory, or your entire OS X Server.