Search squid archive

Squid client(squid_ldap_auth) dont send certificate to ldap server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



OS: Red Hat Enterprise Linux 4 update 1
squid version: squid-STABLE9-7
patch  for squid_ldap_auth :
squid-2.5.STABLE10-ldap_auth-U.patch
squid-2.5.STABLE10-ldap_auth-U.patch

OpenLdap server: rhel4.example.com
Squid server: nattapon.example.com


### squid server (nattapon.example.com)
from command 'ps faux' it show that squid start 'squid_ldap_auth' with user squid priviledge

/etc/passwd
squid:x:23:23::/var/spool/squid:/bin/bash

/var/spool/squid/ldaprc
HOST rhel4.example.com
BASE o=mycompany
TLS_REQCERT demand
TLS_KEY /etc/openldap/certs/cluster1.key
TLS_CERT /etc/openldap/certs/cluster1.crt
TLS_CACERT /etc/openldap/certs/demoCA/cacert.pem

When i integrate squid_ldap_auth with squid by put following entry in /etc/squid/squid.conf like this auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -Z -b "o=mycompany" -D "cn=manager,o=mycompany " -w "secret" -f "cn=%s" rhel4.example.com
user cannot authenticate correctly

But When i issue ldapsearch with starttls or squid_ldap_auth , both can authenticate successful
su - squid
ldapsearch -x -ZZ -D cn=user1 -w password
echo "user1 password " | /usr/lib/squid/squid_ldap_auth -Z -v 3 -D cn=manager,o=mycompany -w secret -b o=mycompany -f 'cn=%s' rhel4.example.com

from rhel4.example.com( ldap server ) Debug show that it can not verify client cert when user authen via web browser
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:1993

From ldapsearch , squid_ldap_auth command line , both can authenticate
correctly but after i integrate squid_ldap_auth into squid it look like squid dont look into /var/spool/squid/ldaprc to send client certificate

So i modify "/etc/openldap/slapd.conf" change "TLSVerifyClient demand" to "TLSVerifyClient never"
then user can authenticate correctly with ldap server


So, There have any way to tell squid to send client certificate to ldap server ?

Regards,

Nattapon

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux