Search squid archive

Re: [squid-users] Squid 2.5 w/ LDAP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Thanks for the reply.

What i actually want to do is depending on which group the user is depends how much access they get.

Eg group "somesites" gets access to only some sites.. Group "allsites" gets access to all sites.

Is this possible, as far as i can see it only works with one group?

I tried what you said below, how do u actually enter the username and password in because all i get back if i type

<username>

ERR

Thanks
Steve

Martin Richard wrote:

Hi Steve,

 I've just finished installing squid with auth on a eDirectory LDAP
(Novel 5.11) and after some headaches here's what worked

 1. run configure with --enable-basic-auth-helpers=LDAP

 This will compile and install the ldap helper programs

 2. test the process from the command line, from your squid
installation's /libexec directory:

 ./squid_auth_ldap \
    -H ldap://YourEDirServerHere \
    -D "cn=validuser,ou=hisOU,O=hisOrg" \
    -w passwordfortheuser \
    -b "ou=something,O=something" \
    -s sub \
    -v 3 \
    -f "(&(&(objectClass=person)(cn=%s)) \
               (groupMembership=cn=SquidUsers,ou=groupsOU,O=groupsOrg))"

 Here's what all of this does:

 -H indicates your ldap server in URI format
 -D is a user's full DN who can connect to the tree. I created a
SquidSrv user for this here.
 -w is that users password
 -b is the highest point in your tree where you want to start
searching (ie you can limit to an OU instead of searching the WHOLE
tree each time)
 -s sub allows to search the subtree starting at the -b point
 -v 3 is for LDAP version 3
 -f is the LDAP search filter. This perticular one search for a
person object with the specified username (the %s) and member of the
SquidUsers group (group I created for allowing net access here)

 When you run that, you'll get a waiting cursor.. the program waits
for input from STDIN.. to test simply enter a username and a password
to test for authentication.. you'll get OK if the username is valid
and the password good, or ERR if anything failed. CTRL-D will end the
session..

 GOTCHA: by default, eDirectory won't accept cleartext passwords. You
have to use ldadps:// to use the SSL port or use the -Z switch to use
TLS over the normal TCP port.. I didnt want to figure out what was
wrong with my ssl certificate, so I just configure the ldap server to
accept cleartext password from Console One.. that's one fight I'm
keeping for a less busy moment :)

 3. when everyting is working, put the command you used in your squid
config **all on one line**..

   auth_param basic program /path/to/libexec/squid_auth_ldap -etcetcetc

 And use it in an ACL

   acl Verified proxy_auth REQUIRED

 And allow the traffic on that ACL

   http_access allow Verified all
   http_access deny all

 The 2nd line is to restrict anyone who couldn't be auth'd.. adjust
according to your own acl's and policies..

 Hope this helps !

 Martin

On Thu, 17 Mar 2005 16:33:13 +1100, Steven Adams <steve@xxxxxxxxxxxxx> wrote:


Hi,

I would like to get LDAP auth working with Squid over my EDIR Tree.

I would like to to auth based on what group the user is in and then have
an acl from there.

Can anyone point me in the right direction, maybe docs or something to
get this working, i have read on the auth_ldap_users (i think it is) but
was no really able to find much good doco on how to do it with groups.

Thanks!
Steve










[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux