Re: [squid-users] Squid - Domino LDAP Auth (and a little Websphere SSO)

From: Chris Mitchell <sw@dont-contact.us>
Date: Fri, 30 Nov 2007 10:18:51 +1100 (EST)

Happy to do it if it'll make this exercise easier, any particular reason
why ?

Regards,

Chris Mitchell

On Fri, 30 Nov 2007, Amos Jeffries wrote:

>>
>> Greetings,
>>
>> Have a bit of a problem trying to get Squid authentication working against
>> a Lotus Domino LDAP directory. The actual authentication part is OK, if I
>> want everyone in my Domino directory to have access through Squid it is
>> not a problem, the real issue arises when I try to filter it based on
>> group membership.
>>
>> I have been through all the past mailing list articles in regards to this
>> topic, and I've tried a whole bunch of different things, and I'm not
>> having any luck (my LDAP skills are weak)
>>
>> Taking a step back, what I'm actually trying to acheive here is single
>> sign on between IBM Websphere Portal 6.0 and Squid (2.5.STABLE3), so that
>
> Step 1) upgrade your squid to latest release. 2.5 is way obsolete.
>
>> after my users sign on to Portal, they are not prompted for their internet
>> password when they try to visit external sites linked from the portal.
>> Websphere is already using the Domino LDAP for user authentication, so I
>> figured that getting the 2 apps authenticating from the same place is a
>> good start.
>>
>> Please find below the relevent pieces of my current squid.conf, if anyone
>> could shed any light as to what I'm doing incorrectly here, it would be
>> greatly appreciated.
>>
>>
>> --------------------------------------
>>
>> # TAG: auth_param
>>
>> auth_param basic program /usr/lib/squid/squid_ldap_auth -b "" -f uid=%s
>> xx.xx.xx.xx
>> --------------------------------------
>> # TAG: external_acl_type
>>
>> external_acl_type inetusers %LOGIN /usr/lib/squid/squid_ldap_group -b ""
>> -f "(&(cn=%g)(objectClass=groupOfNames)(member=%u))" -F
>> "(&(uid=%s)(objectClass=Person))" xx.xx.xx.xx
>> --------------------------------------
>> # TAG: acl
>>
>> acl ldap_password proxy_auth required
>> acl inet_users external inetusers ProxyUsers
>> --------------------------------------
>> # TAG: http_access
>>
>> http_access allow inet_users
>> http_access allow localhost
>> http_access deny all
>> --------------------------------------
>>
>> I hope that this is enough information to show what it is that I am doing,
>> I'm pretty sure those are all the relevent bits. Note that without the
>> external ACL, the authentication works perfectly. I would like to restrict
>> access to members of the LDAP group "ProxyUsers".
>>
>> I look forward to any assistance.
>>
>> Regards,
>>
>> Chris Mitchell
>>
>>
>>
>
>
Received on Thu Nov 29 2007 - 16:19:05 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:03 MST