Hi,
Thanks for the reply.
What i actually want to do is depending on which group the user is depends how much access they get.
Eg group "somesites" gets access to only some sites.. Group "allsites" gets access to all sites.
Is this possible, as far as i can see it only works with one group?
I tried what you said below, how do u actually enter the username and password in because all i get back if i type
<username>
ERR
Thanks Steve
Martin Richard wrote:
Hi Steve,
I've just finished installing squid with auth on a eDirectory LDAP (Novel 5.11) and after some headaches here's what worked
1. run configure with --enable-basic-auth-helpers=LDAP
This will compile and install the ldap helper programs
2. test the process from the command line, from your squid installation's /libexec directory:
./squid_auth_ldap \ -H ldap://YourEDirServerHere \ -D "cn=validuser,ou=hisOU,O=hisOrg" \ -w passwordfortheuser \ -b "ou=something,O=something" \ -s sub \ -v 3 \ -f "(&(&(objectClass=person)(cn=%s)) \ (groupMembership=cn=SquidUsers,ou=groupsOU,O=groupsOrg))"
Here's what all of this does:
-H indicates your ldap server in URI format -D is a user's full DN who can connect to the tree. I created a SquidSrv user for this here. -w is that users password -b is the highest point in your tree where you want to start searching (ie you can limit to an OU instead of searching the WHOLE tree each time) -s sub allows to search the subtree starting at the -b point -v 3 is for LDAP version 3 -f is the LDAP search filter. This perticular one search for a person object with the specified username (the %s) and member of the SquidUsers group (group I created for allowing net access here)
When you run that, you'll get a waiting cursor.. the program waits for input from STDIN.. to test simply enter a username and a password to test for authentication.. you'll get OK if the username is valid and the password good, or ERR if anything failed. CTRL-D will end the session..
GOTCHA: by default, eDirectory won't accept cleartext passwords. You have to use ldadps:// to use the SSL port or use the -Z switch to use TLS over the normal TCP port.. I didnt want to figure out what was wrong with my ssl certificate, so I just configure the ldap server to accept cleartext password from Console One.. that's one fight I'm keeping for a less busy moment :)
3. when everyting is working, put the command you used in your squid config **all on one line**..
auth_param basic program /path/to/libexec/squid_auth_ldap -etcetcetc
And use it in an ACL
acl Verified proxy_auth REQUIRED
And allow the traffic on that ACL
http_access allow Verified all http_access deny all
The 2nd line is to restrict anyone who couldn't be auth'd.. adjust according to your own acl's and policies..
Hope this helps !
Martin
On Thu, 17 Mar 2005 16:33:13 +1100, Steven Adams <steve@xxxxxxxxxxxxx> wrote:
Hi,
I would like to get LDAP auth working with Squid over my EDIR Tree.
I would like to to auth based on what group the user is in and then have an acl from there.
Can anyone point me in the right direction, maybe docs or something to get this working, i have read on the auth_ldap_users (i think it is) but was no really able to find much good doco on how to do it with groups.
Thanks! Steve