Following up on myself... On Fri, Mar 02, 2012 at 01:59:27PM +1030, Brett Lymn wrote: > > At the moment I am looking at setting up a LDAP proxy for the upstream > to query and then use login=*:password in squid. This should allow me > to make the upstream proxy believe it is authenticating so that it has > the username it wants. > OK, I have good news/bad news about this approach. The good news is with the help of: http://www.openldap.org/lists/openldap-software/200010/msg00097.html http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/13.html I was able to create a shell backend - the script in the first link didn't work well with the version of openldap I had but a merging of bits of scripts from both pages gave me a working lookup. My shell script just returns "OK" to a bind request. This gives the upstream proxy what it wants to do "authentication". In the squid.conf I just use "login=*:password" to feed the username and fixed password to the upstream. This works fine, squid passed up the username, upstream looks in ldap, ldap says "ok". Happy days. The bad news is even though the username gets validated by the upstream when it does the logging only the accesses using basic authentication work - accesses using kerberos authentication work _but_ the username is missing from the upstream reporting logs. It _is_ happy with the auth but for some reasons best known to itself the details don't get fed into the log *sigh* I did a bit of a troubleshoot on this and found that when using kerberos the username is "user@xxxxxx.DOMAIN", my ldap script just strips the domain and feeds back the DN for the user fine but the upstream won't report the user to it's logging server. I tested this by changing the squid.conf to have "login=*@OUR.AD.DOMAIN:password" and then the upstream fails to log the user when basic authentication is used just like kerberos case. So, it seems that I need to strip the username back to just a bare name. From what Amos said earlier it seems I can do this with an external acl, if I use this acl will the username be available for login=*? or do I need to use login=PASS? If I use login=PASS will I still get authentication on squid as well? (I really need squid to auth the client) or is there another way I can mangle the username to my needs? -- Brett Lymn "Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer."
