What's worked for me with squid 2.7.STABLE6 on CentOS 5.3 to edirectory was this: auth_param basic program /usr/lib/squid/squid_ldap_auth -H ldap://FQDN.EDIR.SERVER -Z -b o=<Tree Name> -s sub -f "(&(objectClass=person)(uid=%s))" external_acl_type edir-group %LOGIN /usr/lib/squid/squid_ldap_group -Z -D cn=someuser,o=PSC -w userpass -b o=<Tree Name> -s sub -f (&(objectClass=person)(uid=%u)(groupMembership=cn=%g,o=<Tree Name>)) -H ldap://FQDN.EDIR.SERVER acl auth_users proxy_auth REQUIRED acl InetGroup external edir-group INTERNET_BANNED deny_info deny-inet InetGroup http_access deny InetGroup http_access allow auth_users http_access deny all That's the guts of my config file that checks edir for valid user/passwd and then checks to see if they're a member of a group that has internet privileges disabled. A lot of it will be figuring out at what level of the tree you want to start your searches and what attributes you want to filter on. That's usually unique per your setup. Creating a filter to search your edir schema is the hardest part of getting LDAP auth working by a long ways. Here's what I use to check edir searches and what squid would see. [root@proxy4 /]# ldapsearch -x -H ldap://FQDN.EDIR.SERVER -Z -b o=<Tree Name> -D cn=someuser,o=<Tree Name> -w userpass -s sub '(&(objectClass=person)(uid=someuser))' uid sn givenname # extended LDIF # # LDAPv3 # base <o=TREE> with scope subtree # filter: (&(objectClass=person)(uid=someuser)) # requesting: uid sn givenname # # someuser, TREE dn: cn=someuser,o=TREE uid: someuser sn: Some User # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 In the /etc/openldap/ldap.conf, I also had to add a few things. This might be CentOS/RHEL specific though and I don't remember why I did this to start with. More than likely something to do with TLS on Netware. I added: ssl start_tls ssl on TLS_REQCERT never Hope something there helps. It's not single sign on like you're initial request but hopefully it will get you authenticating against edirectory. I'd be interested if you come up with a solution for SSO or auto-logins myself. Rob ------------------------------------- Rob Asher Network Systems Technician Paragould School District (870)236-7744 Ext. 169 >>> Dale Mahalko <dmahalko@xxxxxxxxx> 9/22/2009 1:31 PM >>> The problem with most LDAP-auth examples is that they are written for Active Directory, and they assume the reader is an expert at understanding LDAP syntax. As such the following appears to be meaningless with Novell eDirectory: uid=some-user,ou=People,dc=yourcompany,dc=com , We don't have domain controllers in novell's eDir, so "dc=" appears to be the wrong identifier for Novell's LDAP. Instead, we have this thing called the Tree and the Org at the top level. I've played with trying random guesses like "cn=foo,ou=accounts,o=myorg,t=mytree" and it doesn't work. I don't know where to find a list of all valid LDAP identifiers (cn=, dc=, etc) so I don't know what syntax to use. And does using "uid=" or "cn=" make a difference with AD vs eDir? , Also, what's with the commas and periods in LDAP vs Novell? Does it matter? Novell eDirectory: cn=user.ou=orgunit.o=org.t=tree LDAP: uid=some-user,ou=People,dc=yourcompany,dc=com Will either work, or must the delimiter be a comma with LDAP? , Novell eDirectory permits spaces in the names of objects. How do you deal with spaces in LDAP objects from the command line? Do you wrap the individual item with quotes or the whole LDAP path/context in quotes? , Also what is the debug option in the LDAP authenticator supposed to be used for? It does not appear to generate any useful output. I am looking for extensive debugging information to tell me why and how exactly it is or isn't working, like this: Connecting to LDAP server: foo.company.com (10.0.0.10) ... ** Connected. Using authenticated bind with user: cn=user.ou=accounts.dc=somewhere With password: foo ** Successful authenticated bind. Searching tree using matching pattern: "cn=%s" ** Actual search pattern: "cn=(whatever %s means)" Found the following match: (etc) Getting only "ERR Success" as a response is quite unhelpful for an LDAP-noob to figure out what is wrong. , If I get answers to these questions I'll probably put it into the wiki page.. http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap - Dale Mahalko On Tue, Sep 22, 2009 at 6:23 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > We have a generic LDAP how-to which may or may not be useful to you... > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap > > > Recent squid releases bundle an eDirectory helper for doing secure encrypted > digest authentication. That auth method is also growing in its support from > browsers etc. > > Hopefully someone with a bit more experience in these auth methods will > speak up. This should give you a place to start seraching anyway. Good luck. > ---------- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean. ---------- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean.
