Martin and other on the list,
I am new to squid and ldap. I have it compiled with ldap but having trouble making the query work. I found 2 binaries ....
- /usr/local/squid/bin/squid_auth_ldap and
- /usr/lib/squid/squid_ldap_auth
And with both I have tried several different queries but none have worked ..here are few examples of my queries
./squid_auth_ldap -S ldapsrv1 -s o=mitre.org -U uid=jkamdar ./squid_auth_ldap -S ldapsrv1.mitre.org -s o=mitre.org uid=jkamdar ./squid_auth_ldap -S ldapsrv1.mitre.org -p 389 -s o=mitre.org -U jkamdar
OR
./usr/lib/squid/squid_ldap_auth -h ldapsrv1 -b o=mitre.org uid=jkamdar
./usr/lib/squid/squid_ldap_auth -h ldapsrv1 -b o=mitre.org -f uid=jkamdar -p 389
but none seems to work.
Any idea, which one I should use and what's the correct syntex? I have looked at man page but the example doesn't help.
Thanks in advance.
Please let me know, Jayesh
Martin Richard wrote:
Hi Steve,
I've just finished installing squid with auth on a eDirectory LDAP (Novel 5.11) and after some headaches here's what worked
1. run configure with --enable-basic-auth-helpers=LDAP
This will compile and install the ldap helper programs
2. test the process from the command line, from your squid installation's /libexec directory:
./squid_auth_ldap \ -H ldap://YourEDirServerHere \ -D "cn=validuser,ou=hisOU,O=hisOrg" \ -w passwordfortheuser \ -b "ou=something,O=something" \ -s sub \ -v 3 \ -f "(&(&(objectClass=person)(cn=%s)) \ (groupMembership=cn=SquidUsers,ou=groupsOU,O=groupsOrg))"
Here's what all of this does:
-H indicates your ldap server in URI format -D is a user's full DN who can connect to the tree. I created a SquidSrv user for this here. -w is that users password -b is the highest point in your tree where you want to start searching (ie you can limit to an OU instead of searching the WHOLE tree each time) -s sub allows to search the subtree starting at the -b point -v 3 is for LDAP version 3 -f is the LDAP search filter. This perticular one search for a person object with the specified username (the %s) and member of the SquidUsers group (group I created for allowing net access here)
When you run that, you'll get a waiting cursor.. the program waits for input from STDIN.. to test simply enter a username and a password to test for authentication.. you'll get OK if the username is valid and the password good, or ERR if anything failed. CTRL-D will end the session..
GOTCHA: by default, eDirectory won't accept cleartext passwords. You have to use ldadps:// to use the SSL port or use the -Z switch to use TLS over the normal TCP port.. I didnt want to figure out what was wrong with my ssl certificate, so I just configure the ldap server to accept cleartext password from Console One.. that's one fight I'm keeping for a less busy moment :)
3. when everyting is working, put the command you used in your squid config **all on one line**..
auth_param basic program /path/to/libexec/squid_auth_ldap -etcetcetc
And use it in an ACL
acl Verified proxy_auth REQUIRED
And allow the traffic on that ACL
http_access allow Verified all http_access deny all
The 2nd line is to restrict anyone who couldn't be auth'd.. adjust according to your own acl's and policies..
Hope this helps !
Martin
On Thu, 17 Mar 2005 16:33:13 +1100, Steven Adams <steve@xxxxxxxxxxxxx> wrote:
Hi,
I would like to get LDAP auth working with Squid over my EDIR Tree.
I would like to to auth based on what group the user is in and then have an acl from there.
Can anyone point me in the right direction, maybe docs or something to get this working, i have read on the auth_ldap_users (i think it is) but was no really able to find much good doco on how to do it with groups.
Thanks! Steve
