Re: squid + auth ldap

Felipe Augusto van de Wiel <felipe.wiel@xxxxxxxxxx> · Wed, 16 Jun 2010 17:55:37 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 16-06-2010 14:44, maximatt wrote:
> i try to config squid to authenticate with two ldap servers... but i
> have some isues.... so...

You can find one example in the wiki ConfigExamples:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/MultipleSources

> -  ¿squid_ldap_auth can resolve via dns the ldap host?

	That's an interesting question.

> -  ¿squid_ldap_auth support multiple ldap servers?

	I don't think so.

	At our company, we recently had a request to add
AD as a source of user+passwd to a configuration that was
authenticating against OpenLDAP.

	Instead of using the above example, we hacked a
shell scripts that does something similar without the
need of an external_acl, it is not elegant and it can
quickly overload your server, but it can work:

while [ 1 ]; do
        read TOKEN
        U="${TOKEN%% *}"
        P="${TOKEN#* }"

        if $somecondition; then
                echo $TOKEN | /usr/lib/squid3/squid_ldap_auth -v 3 \
                -b "dc=base,dc=example,dc=org" \
                -D cn=squid-connector,dc=base,dc=example,dc=org \
                -w passwordA \
                -f "(&(uid=$U)(proxyAccess=TRUE))" serverA
        else
                echo $TOKEN | /usr/lib/squid3/squid_ldap_auth -v 3 -R \
                -b "dc=base,dc=example,dc=net" \
                -D "cn=squid-connector,dc=base,dc=example,dc=net" \
                -w passwordB \
                -f 'sAMAccountName=%s' serverB
        fi
done

	This scripts is working nicely. :)

	You could easily adapt it to query servers in
order, try 1, if it fails, try 2 and so on.

Kind regards,
- -- 
Felipe Augusto van de Wiel <felipe.wiel@xxxxxxxxxx>
Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
http://www.pequenoprincipe.org.br/    T: +55 41 3310 1747
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJMGTpGAAoJECCPPxLgxLxP4IEP/1Y/rMXyiz1QJn45EUZqUnre
laLVkTG/XCsx6cYQ/F6/LeDR2FY8Pou73Kkn09QkdKCgHRTqGn6IL0nN4Gtf3Drf
On/1xUa5mcGSsf4WgwONiafMTlRxDu7PDfH5EI9YOUOGTgbY0bKH4+nqGhK8hiTd
dcrrVB3H1v50/8Is4Fo9IbG4ZKKR/Q/HyBYfX6uRm16rbUpB57S+pOOpjFW0PTrD
BfHHdgN5SFZAl/S59PsLOYBQnKOMHLWZwz0d+xenCOu0X/W4N5NeaJRt3qITiVIQ
P0mYElMzleWX3LksMBkLU0wquClpmIvSt+OqPQjFKBdGRnqp16E9n9mCsp2uR7oC
g3vqX6ZXr9o7YNi70sb+bqGj0xZ8Xf4M2h1P2lKMuKfxKFwhA2OcS3vbd5W5dgOC
84soL0Z9L4spdDB4SPiM/faUvVGb40YP1OFM1b6ae/0FBKIAkdriwMTfXi/kOJsD
I7lMhMA/kszO1R7z02KaV93T/dKSoTZPlgEbh+SyiTd/JSoO6cboNPGlgj6kFp4o
5rEnmYkTTSVCOqXAKcJ+nE7YjO3SMocK5scrEpGJwkjDxLTPm5Prb9aeDU74SzhR
gBUi1o6kUtdVo0WffPQYkRMO6Iuo9sYzKBhHIz0M/ao2G6MtF4CnHZTaxa92B+n1
RSXdQv3xC2ihxbKcB6vZ
=1wJp
-----END PGP SIGNATURE-----