Hi Everyone
I am encountering an issue with this module which I don't understand.
Stage 1
Setup LDAP Authentication with the following in squid.conf
auth_param basic program /usr/lib64/squid/squid_ldap_auth -b
"ou=People,dc=cms,dc=waikato,dc=ac,dc=nz" -f "uid=%s" localhost
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
Everything works as expected Great :)
Stage 2 Work out what needs to be passed to squid_ldap_group
After some searching of the web I come up with the following
/usr/lib64/squid/squid_ldap_group -d -b
"ou=People,dc=cms,dc=waikato,dc=ac,dc=nz" -f
'(&(uid=%u)(memberof=cn=%g,ou=groups,ou=people,dc=cms,dc=waikato,dc=ac,dc=nz))'
localhost
And Testing this manually leads to the correct responses. clint is a
non-existant user clintd is a valid user who is a member of tsg,mysql and
staff
clint tsg
Connected OK
group filter
'(&(uid=clint)(memberof=cn=tsg,ou=groups,ou=people,dc=cms,dc=waikato,dc=ac,dc=nz))',
searchbase 'ou=People,dc=cms,dc=waikato,dc=ac,dc=nz'
ERR
clintd mysql
Connected OK
group filter
'(&(uid=clintd)(memberof=cn=mysql,ou=groups,ou=people,dc=cms,dc=waikato,dc=ac,dc=nz))',
searchbase 'ou=People,dc=cms,dc=waikato,dc=ac,dc=nz'
OK
clintd student
Connected OK
group filter
'(&(uid=clintd)(memberof=cn=student,ou=groups,ou=people,dc=cms,dc=waikato,dc=ac,dc=nz))',
searchbase 'ou=People,dc=cms,dc=waikato,dc=ac,dc=nz'
ERR
clintd staff
Connected OK
group filter
'(&(uid=clintd)(memberof=cn=staff,ou=groups,ou=people,dc=cms,dc=waikato,dc=ac,dc=nz))',
searchbase 'ou=People,dc=cms,dc=waikato,dc=ac,dc=nz'
OK
So I add the following to my squid.conf file
external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -d -b
"ou=People,dc=cms,dc=waikato,dc=ac,dc=nz" -f
'(&(uid=%u)(memberof=cn=%g,ou=groups,ou=people,dc=cms,dc=waikato,dc=ac,dc=nz))'
localhost
acl mysql external ldap_group mysql
And edit the access rule to become
http_access allow ldapauth mysql
Squid parse and loads the configuration. If I attempt to authenticate as
the valid user clintd, but with an incorrect password I am prompted to
re-enter the password. If I supply valid auth information for the user
clintd. I get a page saying squid is denying my request. Why is this ?? I
could understand if Im passing an invalid command line to squid_ldap_group
but testing it manually seems to work correctly.
As this is a non-production squid configuration at present I have removed
all other acls and etc that may have been interfering but still see the same
behavior. Does anyone have an idea what I am doing wrong or suggestions as
to how I trouble shoot this further.
I am using squid-2.6.STABLE21 via CentOS 5 rpm
squid-2.6.STABLE21-6.el5.x86_64
Thank you for your time
Clint Dilks
Received on Thu Mar 10 2011 - 00:29:22 MST
This archive was generated by hypermail 2.2.0 : Thu Mar 10 2011 - 12:00:02 MST