Re: Squid 2.2 and Novell 5 NDS

From: Jon Doyle <jon@dont-contact.us>
Date: Sun, 26 Dec 1999 13:30:58 -0800

I know Novell has NDS eDirectory out now. Free Upgrade if you
have a valid Serial to enter in the Web Form. I loaded
eDirectory on Netware 5 and some NT Boxes. It went smooth. Be
sure to rebuild the Schema as per the Readme dependent upon
you version of NDS. There are three NLM's included to rebuild,
one for NDS that shipped with NW5, one for NDS 8 etc.

I would grab this for LDAP as it is free.

Regards,

Jon

<<< David J N Begley <david@avarice.nepean.uws.edu.au> 12/24
3:19a >>>
Earlier today, Adrian Eurell wrote:

> I have been asked the question, is it possible to use squid
(On Solaris
> 2.6 platform) and have the Squid user authentication
information come from
> Novell's NDS database. I am interested to know if it is
possible and
> maybe anyone who has done it.

Is it possible? Yes. Has anyone done it? Not successfully,
AFAIK (in my
case, I have no need so I've never bothered trying).

Essentially, Squid authenticates via an external
authentication programme; as
long as that external authentication programme can communicate
with an NDS
server, you can authenticate users that way.

The two most common ways of communicating with an NDS server
are via NDS'
native protocols, or via LDAP; depending on your setup (and
available
software solutions), you can either communicate directly with
the NDS server
simply for the purposes of authenticating a Squid user, or
your external
authentication programme can simply piggy-back on another API
(eg., PAM) that
provides authentication support.

PAM (pluggable authentication modules) permit configuring
different
authentication sources for different PAM-aware applications;
in this case,
you'd use a PAM-based external authenticator with Squid and
configure both it
and your system to communicate with the NDS server (even if
other
applications on the system did not).

Beware, though, that Solaris 2.6 has a PAM bug (and Sun is
unwilling to
release a fix) that means any PAM-aware application actually
has to be coded
around the API spec in order for authentication to work (Sun
claims Solaris 7
is fixed, but I haven't checked).

If using NDS' native protocols, Novell sells "NDS for Solaris"
that provides
both a PAM and an NSS module for communicating with a standard
NetWare NDS
server. There may be open source modules floating around
offering similar
functionality, but the last I heard they concentrated mainly
on NetWare 3 and
maybe 4 in bindery compatibility, but not NetWare 5 (anyone
have any newer
news on this?).

If you want to try your hand at using LDAP and are running the
latest
version/SP of NetWare 5 (ie., NDS 8 SP1 - you'd have to be
extremely lucky and
undemanding in order to get NetWare 4 working with LDAP), you
could use the
open source PAM and NSS modules from PADL Software
(www.padl.com) that
communicate with a remote LDAP server; for this, you'll
probably need to add
additional object classes and attributes to your NDS server,
but "it can be
done" (that is authentication against NDS via LDAP).

The documentation is really starting to age (I must get around
to updating it
one of these days), but a starting point that may help is
here:

  http://www.nepean.uws.edu.au/users/david/qn99/

It encompasses using NDS (NetWare 5/NDS8) for storing user
information and
authenticating/lookups from Solaris 2.6 using LDAP; it won't
provide
everything you need for a Squid solution, but if you can get
the users into
the NDS (and make them visible via LDAP, if that's your chosen
path), then
being able to successfully authenticate using LDAP command
line tools will
take you over 80% of the way towards getting Squid
authentication working.

Cheers..

dave

                        
Received on Sun Dec 26 1999 - 14:45:47 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:50:06 MST