RE: LDAP authentication

From: Squid Administration <mdiwan@dont-contact.us>
Date: Tue, 01 Aug 2000 12:12:13 -0400

Dear Iker G and fellow squid users.,

I have been reading the lists for info on squid 2.3 stable 4 and ldap
server authentication. I have so far tried most of the suggestions in
these lists.. they were quite help ful , thank you all.

We have been runnig a squid proxy server for a number of years. and in a
effort to upgrade the software and hardware i started to build another
Proxy server.

   Now if you could help me solve this one small problem i would
appreciate it.

Here is my configuration to date:

I am running RedHat Linux version 6.1 on a Compaq proliant server. Lets
call it "Redboy" .
It has an ip of 192.168.0.1 and a subnet of 255.255.255.224
        I installed Squid version 2.3-STABLE-4 on Redboy while running
as user Squid .
I defined a search base, made , and installed the ldap authentication
module from the auth_modules directory of the untard archive.
        The search base I used was the same as the serch base used in
the old version of squid running on our other server, which is running
Redhat 5.1 and Squid version 1.93.2.16 ? from 1998/05/01.

 Searchbase i used in the module:

#define SEARCHBASE "o=lhxxxxxxxusa.com uid
cn=internet,o=lhxxxxxxxusa.com"

Other changes i made to the module :

 sprintf(str,"uid=[%s][%s], %s",userid, password, SEARCHBASE);
<-- uncommented this line
  /*sprintf(str,"uid=%s, %s",userid,
SEARCHBASE);*/ < --commented this line

  if(ldap_simple_bind_s(ld, str, password) != LDAP_SUCCESS)
    {
      fprintf(stderr, "\nUnable to
bind\n"); <-- uncommented this line
      return 33;
    }
  return 0;
}

i am unsure if i needed to uncomment the sprintf line containing the
"password " variable
the previous version of squid has the following line in its squid.conf
file
and this is all i have to work with:
ldap_auth 192.168.0.113 389 o=lhxxxxxxxusa.com uid
cn=internet,o=lhxxxxxxxusa.com

I do get the popup window for authentication and am able to pass my
username and password on to Redboy
I am however unable to bind to my ldap server .

Taking the advice from the sqiud -users
 list I listed the debugging options 28,6 and 29,5 in my squid.conf file

After doing so I get the following results in the cache log :

2000/07/31 16:15:27| aclCheckFast: list: 0x81f5ea0
2000/07/31 16:15:27| aclMatchAclList: checking all
2000/07/31 16:15:27| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'

2000/07/31 16:15:27| aclMatchIp: 'XX.XX.XX.230' found
2000/07/31 16:15:27| aclMatchAclList: returning 1
2000/07/31 16:15:27| aclCheck: checking 'http_access allow manager
localhost'
2000/07/31 16:15:27| aclMatchAclList: checking manager
2000/07/31 16:15:27| aclMatchAcl: checking 'acl manager proto
cache_object'
2000/07/31 16:15:27| aclMatchAclList: returning 0
2000/07/31 16:15:27| aclCheck: checking 'http_access deny manager'
2000/07/31 16:15:27| aclMatchAclList: checking manager
2000/07/31 16:15:27| aclMatchAcl: checking 'acl manager proto
cache_object'
2000/07/31 16:15:27| aclMatchAclList: returning 0
2000/07/31 16:15:27| aclCheck: checking 'http_access deny !Safe_ports'
2000/07/31 16:15:27| aclMatchAclList: checking !Safe_ports
2000/07/31 16:15:27| aclMatchAcl: checking 'acl Safe_ports port 80 21
443 563 70 210 1025-65535'
2000/07/31 16:15:27| aclMatchAclList: returning 0
2000/07/31 16:15:27| aclCheck: checking 'http_access allow CONNECT
!SSL_ports'
2000/07/31 16:15:27| aclMatchAclList: checking CONNECT
2000/07/31 16:15:27| aclMatchAcl: checking 'acl CONNECT method CONNECT'
2000/07/31 16:15:27| aclMatchAclList: returning 0
2000/07/31 16:15:27| aclCheck: checking 'http_access allow all ldap'
2000/07/31 16:15:27| aclMatchAclList: checking all
2000/07/31 16:15:27| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'

2000/07/31 16:15:27| aclMatchIp: '57.20.16.230' found
2000/07/31 16:15:27| aclMatchAclList: checking ldap
2000/07/31 16:15:27| aclMatchAcl: checking 'acl ldap proxy_auth
REQUIRED'
2000/07/31 16:15:27| aclDecodeProxyAuth: header = 'Basic
dTMwMDQyMjp2YW0xMjM='
2000/07/31 16:15:27| aclDecodeProxyAuth: cleartext = 'userme:123456'
2000/07/31 16:15:27| aclMatchProxyAuth: checking user 'userme'
2000/07/31 16:15:27| aclMatchProxyAuth: user 'userme' not yet known
2000/07/31 16:15:27| aclMatchAclList: returning 0
2000/07/31 16:15:27| aclCheck: checking password via authenticator
2000/07/31 16:15:27| aclDecodeProxyAuth: header = 'Basic
dTMwMDQyMjp2YW0xMjM='
2000/07/31 16:15:27| aclDecodeProxyAuth: cleartext = 'userme:123456'
2000/07/31 16:15:27| aclLookupProxyAuthStart: going to ask authenticator
on userme
2000/07/31 16:15:27| authenticateStart: 'userme:123456'
2000/07/31 16:15:27| helperDispatch: Request sent to authenticator #1,
15 bytes

Unable to bind
2000/07/31 16:15:27| helperHandleRead: 4 bytes from authenticator #1.
2000/07/31 16:15:27| helperHandleRead: end of reply found
2000/07/31 16:15:27| authenticateHandleReply: {ERR}
2000/07/31 16:15:27| aclLookupProxyAuthDone: result = ERR
2000/07/31 16:15:27| aclCheck: checking 'http_access allow all ldap'
2000/07/31 16:15:27| aclMatchAclList: checking all
2000/07/31 16:15:27| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'

2000/07/31 16:15:27| aclMatchIp: 'XX.XX.XX.230' found
2000/07/31 16:15:27| aclMatchAclList: checking ldap
2000/07/31 16:15:27| aclMatchAcl: checking 'acl ldap proxy_auth
REQUIRED'
2000/07/31 16:15:27| aclDecodeProxyAuth: header = 'Basic
dTMwMDQyMjp2YW0xMjM='
2000/07/31 16:15:27| aclDecodeProxyAuth: cleartext = 'userme:123456'
2000/07/31 16:15:27| aclMatchProxyAuth: checking user 'userme'
2000/07/31 16:15:27| aclMatchProxyAuth: authentication failed for user
'userme'
2000/07/31 16:15:27| aclMatchAclList: returning 0
2000/07/31 16:15:27| aclCheck: match found, returning 2
2000/07/31 16:15:27| aclCheckCallback: answer=2

I have a ldap server running Windows NT4 and Netscape Directory
Server version 4.01 .. lets call it "Netldap" with an ip of
192.168.0.113 again the subnet is 255.255.255.224

There is a Checkpoint firewall between them set to have "Redboy" as
host and "Netldap" as destination with the ldap port 389 open to the
destination.

What have i done WRONG??

 thanks for the help.

 Madhav Diwan ( mdiwan@lsyna.com)
Received on Tue Aug 01 2000 - 10:14:06 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:54:41 MST