Re: [squid-users] Squid3 and authenticating users SASL/MYSQL

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 30 Apr 2010 17:25:37 +1200

Simon Brereton wrote:
>> -----Original Message-----
>> From: Amos Jeffries
>> Sent: Wednesday, April 28, 2010 8:36 PM
>>
>> A general note;
>> Etch is soon to be on the pile of obsolete Deabian release. If you
>> can please upgrade to the current Debian stable.
>> Worst case please upgrade to the backports.org version of squid3.
>
> I'm dreading this - but yes, it's on the roadmap. But the Squid package was the latest.
>
>
>
>>> and this resource is not terrible verbose:
>>>
>> http://www.squid-
>> cache.org/Versions/v3/HEAD/manuals/basic_sasl_auth.8.html
>> Any useful additions welcome. :)
>
> Gladly! As soon as I get it working/understand what the hell I'm doing.. :)
>
>>> my squid.conf looks like this:
>>>
>>> 1742 auth_param basic program /usr/lib/squid3/sasl_auth
>>> /etc/postfix/sasl/smtpd.conf
>> Does it actually need the config file listed? My understanding was
>> that placing it in /usr/lib/sasl caused SASL to load it automatically
>> as needed.
>
> Interesting - part of the problem I guess is that I didn't really understand the sasl mech when I set it up - and I can't really remember what I did. I only have .h and .c files in /usr/lib/sasl - after a bit of looking I found a file at /etc/default/saslauth that seems to list the config options for sasl. What I don't seem to be able to do at the moment is to tell /usr/lib/squid3/sasl_auth where or to do what it needs to do. (The file /etc/postfix/sasl/smtpd.conf tells saslauth what query to run on the DB to compare credentials. I'll keep trying.
>
>
>>> Trying
>>> /usr/sbin/squid3 from the commandline with -d9 -N gives me too much
>>> information although I'm trying now to trap it and see, but having
>>> spent
>> 48
>>> hours to get this far, I thought I'd ask. It's probably as simple
>> as
>>> fixing line 1742, but I'd appreciate any pointers in doing that.
>>>
>> If this way gets too much there are two other helpers which may be an
>> option for you:
>> POP3 helper (squid tries to use the credentials to login to the POP
>> server and uses the success/fail result from that).
>> DB helper (Squid passes an SQL query direct to the MySQL database.
>> Using the success/fail of that as the result)
>
> Frankly, either would be fine.. In fact, that's all that SASL is doing. The only reason I went for SASL was because it was the only thing I could find that seemed relevant to my system. MYSQL would be more than adequate since it removes the middle-man.. However, I don't find documentation on this. Can you point me to some?
>
> I found this: http://www.squid-cache.org/Versions/v3/HEAD/manuals/basic_db_auth but I can't find db_auth.pl on my system so I don't know what to put for the auth_param basic program..
>

Thats manual you found is pretty much the entire documentation for the
DB helper. It does not mention that the --cond parameter can take a
whole string of complex condition if its quoted with "".

Luckily that latter is a perl script. I have a temporary copy here:
http://treenet.co.nz/projects/squid/src/helpers/basic_auth/DB/basic_db_auth.in

Just needs:
  alter the @PERL@ in the first line
  remove the file extension.
  chmod / chown to the squid user with read/execute privileges.
  configure squid.conf

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1
Received on Fri Apr 30 2010 - 05:25:45 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 30 2010 - 12:00:05 MDT