OS: Red Hat Enterprise Linux 4 update 1
squid version: squid-STABLE9-7
patch for squid_ldap_auth :
squid-2.5.STABLE10-ldap_auth-U.patch
squid-2.5.STABLE10-ldap_auth-U.patch
OpenLdap server: rhel4.example.com
Squid server: nattapon.example.com
### squid server (nattapon.example.com)
from command 'ps faux' it show that squid start 'squid_ldap_auth' with
user squid priviledge
/etc/passwd
squid:x:23:23::/var/spool/squid:/bin/bash
/var/spool/squid/ldaprc
HOST rhel4.example.com
BASE o=mycompany
TLS_REQCERT demand
TLS_KEY /etc/openldap/certs/cluster1.key
TLS_CERT /etc/openldap/certs/cluster1.crt
TLS_CACERT /etc/openldap/certs/demoCA/cacert.pem
When i integrate squid_ldap_auth with squid by put following entry in
/etc/squid/squid.conf like this
auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -Z -b
"o=mycompany" -D "cn=manager,o=mycompany " -w "secret" -f "cn=%s"
rhel4.example.com
user cannot authenticate correctly
But When i issue ldapsearch with starttls or squid_ldap_auth , both can
authenticate successful
su - squid
ldapsearch -x -ZZ -D cn=user1 -w password
echo "user1 password " | /usr/lib/squid/squid_ldap_auth -Z -v 3 -D
cn=manager,o=mycompany -w secret -b o=mycompany -f 'cn=%s'
rhel4.example.com
from rhel4.example.com( ldap server ) Debug show that it can not verify
client cert when user authen via web browser
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate s3_srvr.c:1993
From ldapsearch , squid_ldap_auth command line , both can authenticate
correctly but after i integrate squid_ldap_auth into squid it look like
squid dont look into /var/spool/squid/ldaprc to send client certificate
So i modify "/etc/openldap/slapd.conf" change "TLSVerifyClient demand" to
"TLSVerifyClient never"
then user can authenticate correctly with ldap server
So, There have any way to tell squid to send client certificate to ldap
server ?
Regards,
Nattapon
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/