Matthias Dettling" wrote:
grolschie wrote:
Repost, as the first never came through at my
end.
Sorry if it's a dupe.
--- Hi y'all.
I have searched through the docs, and cannot
find
alot on ldap_auth. I use Squid + LDAP instead
of
SMB to authenticate against our 2003 Server.
The
problem is that we have two domains that I
wish to
authenticate against. Is it possible to do
this
with Squid and LDAP?
Here is my current method:
################## auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=my,dc=domain,dc=org" -D
"cn=Administrator,cn=Users,dc=my,dc=domain,dc=org"
-w "mypassword" -f sAMAccountName=%s -h 192.168.1.1
auth_param basic children 5 auth_param basic realm Our Proxy auth_param basic credentialsttl 5 hours
acl localnet proxy_auth REQUIRED src 192.168.1.0/24 192.168.100.0/24
http_access allow localnet http_access allow localhost http_access deny all ###################
Is it possible to add another sub-domain into
this
equation to authenticate against? Our two
domains
are on the two networks listed above in
localnet
ACL, although our sub-domains DC has an IP
address
on both networks. I am not sure how to specify
two
domains and two domain controller IP's in the above.
Sorry if this is a n00b question. I am kinda
stuck
and you seem to know alot about this field.
And
tips, greatly received. Thanks in advance.
regards, grolschie
Hello grolschie,
there are sure better solutions, but my one
works too.
Instead of writing "auth_param basic program
/usr/lib/squid/ldap_auth ..."
you can use a shell script like that auth_param basic program /shell/script.
The only thing your script should do is write
out "OK" or "ERR" to
stdout dependant on the result of your
evaluation with
/usr/lib/squid/ldap_auth. Tutorials on writing shell scripts can be found
much on the net.
I hope this helps.
Regards Matthias
Thanks for that I will have a google for shell script writing tutorials. How are variables like %s etc passed through/from to the shell script though? Or does that not need to happen?
regards, D.Radel (aka grolschie)
P.S. I am told that my post was received by the group 4 times. Sorry about that. Must've been a gmail glitch is only the last email arrived in my inbox via the list - using my ISPs account.
Hello grolschie,
as I know %s isn't a variable that is passed to /usr/lib/squid/ldap_auth, instead it is a variable from that program, which tells it, that %s must be replaced with the username.
By the way parameters of a shell script can be found in $1, $2, ...
The name, password pair is passed to the script by the auth_param basic program command. What you have to do is reading from stdin and pass it to all of your /usr/lib/squid/ldap_auth commands in the script and then evaluate the result.
Reading from stdin, can be done by something like this: -------------------- #!/bin/sh
# reading stdin INP=`cat`
# pass stdin to /usr/lib/squid/ldap_auth DOM1=`echo $INP | /usr/lib/squid/ldap_auth ...` DOM2=`echo $INP | /usr/lib/squid/ldap_auth ...` ... --------------------
Now the only thing you have to do is evaluate DOM1, DOM2, ... if one of it equals to "OK". And depending on this execute echo "OK" or echo "ERR".
I hope this helps.
Regards Matthias
