Re: [squid-users] Help with LDAP authentication

From: Fernando Maior <fernando@dont-contact.us>
Date: Thu, 11 Sep 2003 09:05:29 -0400

Citando Christopher Joles <CJoles@proteabhs.com>:
 
> Good Morning!
>
> I am relatively new to squid. However, I have been reading over previous
> postings and have read through the man files a couple of times.
>
> With that said, I am trying to do exactly what a lot of other people before
> me have done, authenticate a squid cache via a windows 2000 ldap server.
>
> For the record, I am using a RedHat 9 install, with squid that was installed
> by default. I believe it is 2.5Stable1.
>
> Now, again with that said, I have successfully communicated with the ldap
> box with ldap search using the following syntax:
>
> Ldapsearch -x -h 192.168.0.123 -b dc=proteabhs,dc=com -D
> cn=squiduser,cn=Users,dc=proteabhs,dc=com -w *********
>
> I have sucessfully communicated with squid_ldap_auth with the following
> syntax:
>
> Squid_ldap_auth -p -R -b dc=proteabhs,dc=com -D
> cn=squiduser,cn=Users,dc=proteabhs,dc=com -w ********* -f sAMAccount=%s
> objectClass=Person -h 192.168.0.123
>
> I then type in a user name and a password and I receive the OK return.
>
> Now, with that all out of the way, I have put the same syntax into my
> squid.conf file and when I try to browse the net, I do receive the login
box,
> however, my password is never accepted. It loops 3 times and then displays
> the default page stating that I must authenticate prior to accessing the
> page.
>
> From reading the man page, I have noticed that I could try using the
> following syntax:
> Squid_ldap_auth -p -R -b dc=proteabhs,dc=com -D
> cn=squiduser,cn=Users,dc=proteabhs,dc=com -w ********** -f
> (&(sAMAccount=%s)(objectClass=Person)) -h 192.168.0.123
> Notice the changes to (&(sAMAccount=%s)(objectClass=Person)) . I have tried
> this and it did not work.
> I have also tried :
> Squid_ldap_auth -p -R -b "dc=proteabhs,dc=com" -D
> "cn=squiduser,cn=Users,dc=proteabhs,dc=com" -w "***********" -f
> (&(sAMAccount=%s)(objectClass=Person)) -h 192.168.0.123 which did not work.
>
> I know from the command line, all is working fine. It must be a syntax
> issue, however ,from what I can tell I'm entering it all correctly.
> Any help will be greatly appreacited. I also have used a program called
> ldapbrowser to connect and view the ldap tree. This too works just fine.
>
> PS, please don't tell me to read the man pages <grin>, I have, over and over
> again.
>
> Christopher J. Joles
> Chief Information Officer
>
> PROTEA Behavioral Health Services
> 187 Exchange St.
> Bangor, ME 04401
> Phone: (207)992-7010 Ext: 245 Fax:(207)992-7011
>
 
I have a site running squid-ldap authentication smoothly.
What you have is:
 
1st: Inform Squid about authentication program
     and parameters (/etc/squid/squid.conf)
 
auth_param basic program /usr/lib/squid/squid_ldap_auth -h ldap.intranet.dasa
-b "ou=Users,o=DASA" -f "(&(internetAccess=enabled)(uid=%s))"
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
 
2nd: Tell Squid about ACLs for authentication
 
acl AuthenticatedUsers proxy_auth REQUIRED
 
3rd: Allow access to the authenticated users, just below
     # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 
http_access allow AuthenticatedUsers
 
Have Fun!
 
Bye,
Fernando Maciel Souto Maior
fernando@araujo.com.br
http://www.araujo.com.br
+55+31 3270-5886

AVISO--------------------------------------------
Esta mensagem pode conter informacao confidencial ou privilegiada.
Se voce nao for o destinatario ou a pessoa autorizada a receber
esta mensagem, nao pode usar, copiar ou divulgar as informacoes
nela contidas ou tomar qualquer acao baseada nessas informacoes.
Se voce recebeu esta mensagem por engano, favor avisar o remetente
imediatamente, respondendo o e-mail e em seguida apagando-o.
Obrigado pela cooperacao.

DISCLAIMER---------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on any information herein. If you have received this message in
error, please advise the sender immediately by replying to this
e-mail and delete this message. Thank you for your cooperation.

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
Received on Thu Sep 11 2003 - 07:34:29 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:39 MST