I'm still having this problem and hope that someone might be able to point
me in the right direction, below I have included more details:
using squid_ldap_auth from command line to query 2003 DC:
$ sudo /usr/local/squid/libexec/squid_ldap_auth -b "dc=mydomain,dc=net" -h
192.168.x.y -p 389 -D
"cn=Squid,ou=IT,ou=Users,ou=site1,ou=subcompany,dc=mydomain,dc=net" -w
password -f "sAMAccountName=%s" -d
user.name password
user filter 'sAMAccountName=user.name', searchbase 'dc=mydomain,dc=net'
squid_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR Success
^C
$ sudo /usr/local/squid/libexec/squid_ldap_auth -b
"ou=subcompany,dc=mydomain,dc=net" -h 192.168.x.y -p 389 -D
"cn=Squid,ou=IT,ou=Users,ou=site,ou=subcompany,dc=mydomain,dc=net" -w
password -f "sAMAccountName=%s" -d
user.name password
user filter 'sAMAccountName=user.name', searchbase
'subcompany,dc=mydomain,dc=net'
attempting to authenticate user
'CN=user.name,OU=SystemAdmins,OU=IT,OU=Users,OU=site1,OU=subcompany,DC=mydomain,DC=net'
OK
^C
$
You can see above that I get "ERR Success" if I use the base of the domain
for the base dn but it works fine if I specify an OU. If I do these
queries on a Windows 2000 DC both are successful. I have tested
squid_ldap_group and it behaves exactly the same. Any help is greatly
appreciated.
Thnaks,
Colin
----- Forwarded by Colin Farley/COMPUBank on 11/15/2005 11:10 AM -----
Colin Farley
<Colin.Farley@eca
recenters.com> To
Derrick MacPherson
11/10/2005 02:32 <dmacpherson@xxxxxxxxxxxx>,
PM squid-users@xxxxxxxxxxxxxxx
cc
Subject
Re: Re:
squid_ldap_auth and Windows 2003 AD
Yes, I can in some cases. If I am querying windows 2003 DC and the base DN
is the base of the domain ("dn=domain,dn=lan") then I get the following:
squid_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR Success
But if I specify an ou ("ou=site1,dn=domain,dn=lan") then it works
correctly. If I query a Windows 2000 DC the it works either way.
Colin
Hi Colin, I had a tough time with getting the syntax, can you do command
line lookups using squid_ldap_auth ?
On Thu, 2005-11-10 at 11:29 -0600, Colin Farley wrote:
> Yes, I have. The searches are being performed by an authenticated user.
>
> Thanks,
> Colin
>
>
>
> Adam Aube
> <aaube01@xxxxxxxx
> u>
To
> Sent by: news squid-users@xxxxxxxxxxxxxxx
> <news@xxxxxxxxxxx
cc
> rg>
>
Subject
> Re: squid_ldap_auth
> 11/10/2005 08:51 and Windows 2003 AD
> AM
>
>
>
>
>
>
>
>
>
> Colin Farley wrote:
>
> > We have a few production squid proxy servers running various STABLE
> > versions of squid 2.5 and are encountering some issues as we upgrade
our
> > Domain controllers from windows 2000 to windows 2003. The proxy
servers
> > query the LDAP directory for user access control.
>
> > Ideally, we would like all proxy servers to use a base dn that allows
> them
> > to search the entire domain ("dn=domain,dn=lan"), when querying Windows
> > 2000 domain controllers this works perfectly. However, when we point
> > these proxy servers to Windows 2003 domain controllers for LDAP queries
> > squid_ldap_auth fails.
>
> > I have found that if I specify an ou for the base dn it works fine
> > ("ou=site1,dn=domain,dn=lan"). So, it seems that Windows 2003 domain
> > controllers have added security that stops searches beginning from the
> > base of the domain and searches must start within an ou.
>
> Have you configured squid_ldap_auth to bind using a user account?
>
> Adam
>
>
>
