Yes, I can in some cases. If I am querying windows 2003 DC and the base DN
is the base of the domain ("dn=domain,dn=lan") then I get the following:
squid_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR Success
But if I specify an ou ("ou=site1,dn=domain,dn=lan") then it works
correctly. If I query a Windows 2000 DC the it works either way.
Colin
Hi Colin, I had a tough time with getting the syntax, can you do command
line lookups using squid_ldap_auth ?
On Thu, 2005-11-10 at 11:29 -0600, Colin Farley wrote:
> Yes, I have. The searches are being performed by an authenticated user.
>
> Thanks,
> Colin
>
>
>
> Adam Aube
> <aaube01@xxxxxxxx
> u>
To
> Sent by: news squid-users@xxxxxxxxxxxxxxx
> <news@xxxxxxxxxxx
cc
> rg>
>
Subject
> Re: squid_ldap_auth
> 11/10/2005 08:51 and Windows 2003 AD
> AM
>
>
>
>
>
>
>
>
>
> Colin Farley wrote:
>
> > We have a few production squid proxy servers running various STABLE
> > versions of squid 2.5 and are encountering some issues as we upgrade
our
> > Domain controllers from windows 2000 to windows 2003. The proxy
servers
> > query the LDAP directory for user access control.
>
> > Ideally, we would like all proxy servers to use a base dn that allows
> them
> > to search the entire domain ("dn=domain,dn=lan"), when querying Windows
> > 2000 domain controllers this works perfectly. However, when we point
> > these proxy servers to Windows 2003 domain controllers for LDAP queries
> > squid_ldap_auth fails.
>
> > I have found that if I specify an ou for the base dn it works fine
> > ("ou=site1,dn=domain,dn=lan"). So, it seems that Windows 2003 domain
> > controllers have added security that stops searches beginning from the
> > base of the domain and searches must start within an ou.
>
> Have you configured squid_ldap_auth to bind using a user account?
>
> Adam
>
>
>
