On Mon, 19 Sep 2005, nattapon viroonsri wrote:
When i integrate squid_ldap_auth with squid by put following entry in
/etc/squid/squid.conf like this
auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -Z -b
"o=mycompany" -D "cn=manager,o=mycompany " -w "secret" -f "cn=%s"
rhel4.example.com
user cannot authenticate correctly
But When i issue ldapsearch with starttls or squid_ldap_auth , both can
authenticate successful
su - squid
ldapsearch -x -ZZ -D cn=user1 -w password
echo "user1 password " | /usr/lib/squid/squid_ldap_auth -Z -v 3 -D
cn=manager,o=mycompany -w secret -b o=mycompany -f 'cn=%s' rhel4.example.com
Odd.. the above two is identical from what I can see..
is there any warnings in cache.log?
From ldapsearch , squid_ldap_auth command line , both can authenticate
correctly but after i integrate squid_ldap_auth into squid it look like
squid dont look into /var/spool/squid/ldaprc to send client certificate
There is not supposed to be any difference running squid_ldap_auth
manually as your cache_effective_user or as a daemon by Squid.
So, There have any way to tell squid to send client certificate to ldap
server ?
From what I can see what you have done should work.
It may be possible to enhance squid_ldap_auth allowing to specify the
client certificate to use excplicitly on the command line but I am not
entirely sure how this is done in the OpenLDAP API. I suppose it is done
using LDAP_OPT_X_TLS_CERTFILE/KEYFILE, but these aspects of the OpenLDAP
API is very poorly documented.
Patches are welcome if you figure out how.
Regards
Henrik
