At last I got squid_ldap_auth with squid_ldap_group to authenticate and authorize against the MSAD. Thanks a lot for tips. What I ultimately would like to have is a situation when it only takes to match the group membership to get access to the Internet, and NO authentication is required. The userId accessing the Internet should be still recorded in the access.log Any suggestions on this? Thank you very much! -----Original Message----- From: Meyerovich Aleksandr EB_NY Sent: Tuesday, January 17, 2006 5:20 PM To: 'squid-users@xxxxxxxxxxxxxxx' Subject: FW: SOS with squid_ldap_auth !! Importance: High One more question!! If there's no option to tell the "configure" under squid where openldap is installed where then openldap should be installed so that squid can find it? Which options openldap should be built with to support native AD domain (no NTLM) with Kerberos bind? Any help greatly appreciated!! -----Original Message----- From: Meyerovich Aleksandr EB_NY Sent: Tuesday, January 17, 2006 3:14 PM To: 'squid-users@xxxxxxxxxxxxxxx' Subject: SOS with squid_ldap_auth !! What would be the right openldap version for the following combination: RedHat 8.0 (2.4.18-14) and Squid 2.5.STABLE4-20031110. When compiling Squid with enable ....ldap.... options how to specify an alternate openldap location. Do squid_ldap_auth and squid_ldap_group support Kerberos bind? How to make Kreberos bind? Ldapsearch with this parameters returns what I need: ./ldapsearch -b "dc=my,dc=domain" -D "user@xxxxxxxxx" -w "password" "sAMAccountName=SomeGroupName" -h server. Squid_ldap_auth with the same options/filters returns ERR. Thanks a lot, Alex -----Original Message----- From: Henrik Nordstrom [mailto:hno@xxxxxxxxxxxxxxx] Sent: Friday, January 13, 2006 6:14 PM To: Meyerovich Aleksandr EB_NY Cc: Squid Users Subject: Re: SOS with squid_ldap_auth !! On Fri, 13 Jan 2006, Meyerovich Aleksandr EB_NY wrote: > Are there any debugging switches for squid_ldap_auth to get something > more descriptive than ERR? -d gives you some details. But there isn't much it can give. Most operations is of "works/fails" nature mainly depending on getting the configuration right. There is only two configuration steps involved: 1. The binddn needs to be correct. (-D -w options) 2. The search filter needs to find/match the users correctly. (-b -f options, and perhaps -R) Most of the other options are not relevant in MSAD setups. > - I can reach the MSAD LDAP server by short name as well as FQDN > - squid_ldap_auth compiled with no problems: > ldd squid_ldap_auth > - I tried all example formats in the manual page with filters and > without > - tried cn attr as well as sAMAccountName > - With -D and -w and without. Have you got the search bind DN and password correct? Most MSAD setups won't give you much information at all unless you first authenticate to the AD.. On the nice side it seems you can use shortnames (i.e. user@xxxxxxxxxxxxxx) as the binddn. If you are in doubt I recommend first exploring your MSAD with LDAP tools. It is a lot easier to understand what is required to get squid_ldap_auth running smoothly if you first get normal LDAP tools working right... Regards Henrik
