What's worked for me with squid 2.7.STABLE6 on CentOS 5.3 to edirectory was this:
auth_param basic program /usr/lib/squid/squid_ldap_auth -H ldap://FQDN.EDIR.SERVER -Z -b o=<Tree Name> -s sub -f "(&(objectClass=person)(uid=%s))"
external_acl_type edir-group %LOGIN /usr/lib/squid/squid_ldap_group -Z -D cn=someuser,o=PSC -w userpass -b o=<Tree Name> -s sub -f (&(objectClass=person)(uid=%u)(groupMembership=cn=%g,o=<Tree Name>)) -H ldap://FQDN.EDIR.SERVER
acl auth_users proxy_auth REQUIRED
acl InetGroup external edir-group INTERNET_BANNED
deny_info deny-inet InetGroup
http_access deny InetGroup
http_access allow auth_users
http_access deny all
That's the guts of my config file that checks edir for valid user/passwd and then checks to see if they're a member of a group that has internet privileges disabled. A lot of it will be figuring out at what level of the tree you want to start your searches and what attributes you want to filter on. That's usually unique per your setup. Creating a filter to search your edir schema is the hardest part of getting LDAP auth working by a long ways. Here's what I use to check edir searches and what squid would see.
[root_at_proxy4 /]# ldapsearch -x -H ldap://FQDN.EDIR.SERVER -Z -b o=<Tree Name> -D cn=someuser,o=<Tree Name> -w userpass -s sub '(&(objectClass=person)(uid=someuser))' uid sn givenname
# extended LDIF
#
# LDAPv3
# base <o=TREE> with scope subtree
# filter: (&(objectClass=person)(uid=someuser))
# requesting: uid sn givenname
#
# someuser, TREE
dn: cn=someuser,o=TREE
uid: someuser
sn: Some User
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
In the /etc/openldap/ldap.conf, I also had to add a few things. This might be CentOS/RHEL specific though and I don't remember why I did this to start with. More than likely something to do with TLS on Netware. I added:
ssl start_tls
ssl on
TLS_REQCERT never
Hope something there helps. It's not single sign on like you're initial request but hopefully it will get you authenticating against edirectory. I'd be interested if you come up with a solution for SSO or auto-logins myself.
Rob
-------------------------------------
Rob Asher
Network Systems Technician
Paragould School District
(870)236-7744 Ext. 169
>>> Dale Mahalko <dmahalko_at_gmail.com> 9/22/2009 1:31 PM >>>
The problem with most LDAP-auth examples is that they are written for
Active Directory, and they assume the reader is an expert at
understanding LDAP syntax. As such the following appears to be
meaningless with Novell eDirectory:
uid=some-user,ou=People,dc=yourcompany,dc=com
,
We don't have domain controllers in novell's eDir, so "dc=" appears to
be the wrong identifier for Novell's LDAP.
Instead, we have this thing called the Tree and the Org at the top
level. I've played with trying random guesses like
"cn=foo,ou=accounts,o=myorg,t=mytree" and it doesn't work.
I don't know where to find a list of all valid LDAP identifiers (cn=,
dc=, etc) so I don't know what syntax to use.
And does using "uid=" or "cn=" make a difference with AD vs eDir?
,
Also, what's with the commas and periods in LDAP vs Novell? Does it matter?
Novell eDirectory: cn=user.ou=orgunit.o=org.t=tree
LDAP: uid=some-user,ou=People,dc=yourcompany,dc=com
Will either work, or must the delimiter be a comma with LDAP?
,
Novell eDirectory permits spaces in the names of objects. How do you
deal with spaces in LDAP objects from the command line? Do you wrap
the individual item with quotes or the whole LDAP path/context in
quotes?
,
Also what is the debug option in the LDAP authenticator supposed to be
used for? It does not appear to generate any useful output. I am
looking for extensive debugging information to tell me why and how
exactly it is or isn't working, like this:
Connecting to LDAP server: foo.company.com (10.0.0.10) ...
** Connected.
Using authenticated bind with user: cn=user.ou=accounts.dc=somewhere
With password: foo
** Successful authenticated bind.
Searching tree using matching pattern: "cn=%s"
** Actual search pattern: "cn=(whatever %s means)"
Found the following match:
(etc)
Getting only "ERR Success" as a response is quite unhelpful for an
LDAP-noob to figure out what is wrong.
,
If I get answers to these questions I'll probably put it into the wiki page..
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap
- Dale Mahalko
On Tue, Sep 22, 2009 at 6:23 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> We have a generic LDAP how-to which may or may not be useful to you...
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap
>
>
> Recent squid releases bundle an eDirectory helper for doing secure encrypted
> digest authentication. That auth method is also growing in its support from
> browsers etc.
>
> Hopefully someone with a bit more experience in these auth methods will
> speak up. This should give you a place to start seraching anyway. Good luck.
>
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
Received on Tue Sep 22 2009 - 19:21:29 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 23 2009 - 12:00:03 MDT