Re: [squid-users] Squid - LDAP

From: Tim Neto <tneto@dont-contact.us>
Date: Tue, 14 Feb 2006 10:00:30 -0500

One thing to note, In Windows 2003 Server, Microsoft disables anonymous
LDAP binds by default. Instead of doing an anonymous bind, try testing
your squid_ldap_auth command with options to bind as an authorative
user. Like:

    /usr/lib/squid/squid_ldap_auth -D Administrator -w Admin_Password -R
-b "dc=xx,dc=yyy,dc=uuuu,dc=rrrr" -f sAMAccountName=%s -h 10.239.56.2

Note the -D and -w options.

I do not recommend encoding the Active Directory administrator account
in the squid configuration file. Either set up another authorized
account that has read only permissions, or see Microsoft's documentation
on enabling anonymous binds to a Windows 2003 Active Directory via LDAP.

Tim

-----------------------------------------------------------
Timothy E. Neto
Computer Systems Engineer Komatsu Canada Limited
Ph#: 905-625-6292 x265 1725B Sismet Road
Fax: 905-625-6348 Mississauga, Canada
E-Mail: tneto@komatsu.ca L4W 1P9
-----------------------------------------------------------

Esteban wrote:
> Test if the autenticator work..
> run "/usr/lib/squid/squid_ldap_auth -R -b "dc=xx,dc=yyy,dc=uuuu,dc=rrrr" -f
> sAMAccountName=%s -h 10.239.56.2"
> And enter "Username<SPACE>password<ENTER>" IF you get OK the autenticator
> Works If you always get an ERR you should chech te configuration of the
> Helper / the Ldap Server
>
> And "for testing only" use this Http_access Schema
>
> http_access allow password
> http_access deny all
>
>
>
>> My squid.conf is:
>> .....
>> auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b
>> "dc=xx,dc=yyy,dc=uuuu,dc=rrrr" -f sAMAccountName=%s -h 10.239.56.2
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>> .....
>> acl password proxy_auth REQUIRED
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443 563 407
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 563 # https, snews
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 407
>> acl CONNECT method CONNECT
>>
>
>
>
>> http_access allow manager localhost
>> http_access allow password
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost
>> http_access deny all
>> ....
>> cache_peer another-proxy.xxxx.com parent 8080 0 proxy-only default
>> #
>>
>> Which is the problem?
>>
>>
>
>
>
>
Received on Tue Feb 14 2006 - 08:01:19 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST