D & E Radel schrieb:
Matthias Dettling wrote:
Hello grolschie,
as I know %s isn't a variable that is passed
to
/usr/lib/squid/ldap_auth, instead it is a
variable from that program,
which tells it, that %s must be replaced with
the username.
By the way parameters of a shell script can be
found in $1, $2, ...
The name, password pair is passed to the
script
by the auth_param basic
program command. What you have to do is
reading
from stdin and pass it
to all of your /usr/lib/squid/ldap_auth
commands
in the script and then
evaluate the result.
Reading from stdin, can be done by something
like this:
--------------------
#!/bin/sh
# reading stdin
INP=`cat`
# pass stdin to /usr/lib/squid/ldap_auth
DOM1=`echo $INP | /usr/lib/squid/ldap_auth
...`
DOM2=`echo $INP | /usr/lib/squid/ldap_auth
...`
...
--------------------
Now the only thing you have to do is evaluate
DOM1, DOM2, ... if one of
it equals to "OK". And depending on this
execute
echo "OK" or echo "ERR".
I hope this helps.
Regards
Matthias
Wow! Thanks big time Matthias! :-)
So the evaluation should be something like
this?
if [$DOM1="OK"]; then
echo "OK"
elif [$DOM2="OK"]; then
echi "OK"
else
echo "ERR"
fi
I would never had got that " INP=`cat`" and
"echo
$INP" stuff. I would've feebly attempted
something
like this:
DOM1=`/usr/lib/squid/ldap_auth ...`
DOM2=`/usr/lib/squid/ldap_auth ...`
...followed by the above evaluation.
Thanks alot for your help. I shall give this a
blast tomorrow when I am in front of the box.
Kind regards,
grolschie
Hello grolschie,
yes, that's it, what I meant.
But note that there is a little typo.
Instead of echi you should of course write echo.
Then it should work.
Please tell me about the result of your attempt.
Regards
Matthias
Hi Matthias (and anyone else reading this)
I have tried the solution and cannot get it
working. I replaced this line:
auth_param basic program
/usr/lib/squid/ldap_auth ......
with reference to my script:
"auth_param basic program
/etc/squid/multi_domains.sh"
The /etc/squid/multi_domains.sh was chmod 777'ed
and contains:
#!/bin/sh
# Reading stdin from Squid
INP=`cat`
# Pass stdin to /usr/lib/squid/ldap_auth
DOMAIN1=`echo $INP |
/usr/lib/squid/ldap_auth -R
-b "dc=......"
-D
"cn=Administrator,cn=Users,dc=..........."
-w "........." -f sAMAccountName=%s -h
192.168.1.1`
# Just spit out the result for now
echo $DOMAIN1
Note that this was just a test to make sure the
first part worked before querying two domains and
evaluating. The result was that I received the
authentication prompt in my browser. If I got the
password wrong it would ask upto 2 more times then
access denied, but if I got it correct the browser
would just hang then time-out.
Something weird is going on, because if I add the
following command to the beginning, it gets
ignored when ldap_auth calls it:
echo "hello" >/etc/squid/tmp.txt
Or is that just a permissions issue? If I run the
script from console, it writes the tmp.txt file.
The fact that authentication fails on bad password
and hangs on ok password tells me that the LDAP
part is working. However, the passing of the
stdout back to Squid does not seem to be working.
The weird thing is that Squid knows when I get the
password wrong 3 times.
Regards,
Dietrich (aka grolschie)
Hello grolschie,
I'm very sorry, that it doesn't work at first go.
I didn't understand, where you added this line:
echo "hello" >/etc/squid/tmp.txt
but I advise you first to test the username password pair on the command
line before you do that with squid and a browser.
This is very easy.
Type the following on the shell:
echo "username password" | /usr/lib/squid/ldap_auth ...
If you get an OK or an ERR this works at least.
If it works then type in this:
echo "username password" | /etc/squid/multi_domains.sh
There you should get the same result as before.
At the moment I don't have the possibility to test the script in a
working environment, but at the weekend I will do so.
Regards,
Matthias
