Dear Iker G and fellow squid users.,
I have been reading the lists for info on squid 2.3 stable 4 and ldap
server authentication. I have so far tried most of the suggestions in
these lists.. they were quite help ful , thank you all.
We have been runnig a squid proxy server for a number of years. and in a
effort to upgrade the software and hardware i started to build another
Proxy server.
Now if you could help me solve this one small problem i would
appreciate it.
Here is my configuration to date:
I am running RedHat Linux version 6.1 on a Compaq proliant server. Lets
call it "Redboy" .
It has an ip of 192.168.0.1 and a subnet of 255.255.255.224
I installed Squid version 2.3-STABLE-4 on Redboy while running
as user Squid .
I defined a search base, made , and installed the ldap authentication
module from the auth_modules directory of the untard archive.
The search base I used was the same as the serch base used in
the old version of squid running on our other server, which is running
Redhat 5.1 and Squid version 1.93.2.16 ? from 1998/05/01.
Searchbase i used in the module:
#define SEARCHBASE "o=lhxxxxxxxusa.com uid
cn=internet,o=lhxxxxxxxusa.com"
Other changes i made to the module :
sprintf(str,"uid=[%s][%s], %s",userid, password, SEARCHBASE);
<-- uncommented this line
/*sprintf(str,"uid=%s, %s",userid,
SEARCHBASE);*/ < --commented this line
if(ldap_simple_bind_s(ld, str, password) != LDAP_SUCCESS)
{
fprintf(stderr, "\nUnable to
bind\n"); <-- uncommented this line
return 33;
}
return 0;
}
i am unsure if i needed to uncomment the sprintf line containing the
"password " variable
the previous version of squid has the following line in its squid.conf
file
and this is all i have to work with:
ldap_auth 192.168.0.113 389 o=lhxxxxxxxusa.com uid
cn=internet,o=lhxxxxxxxusa.com
I do get the popup window for authentication and am able to pass my
username and password on to Redboy
I am however unable to bind to my ldap server .
Taking the advice from the sqiud -users
list I listed the debugging options 28,6 and 29,5 in my squid.conf file
After doing so I get the following results in the cache log :
2000/07/31 16:15:27| aclCheckFast: list: 0x81f5ea0
2000/07/31 16:15:27| aclMatchAclList: checking all
2000/07/31 16:15:27| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2000/07/31 16:15:27| aclMatchIp: 'XX.XX.XX.230' found
2000/07/31 16:15:27| aclMatchAclList: returning 1
2000/07/31 16:15:27| aclCheck: checking 'http_access allow manager
localhost'
2000/07/31 16:15:27| aclMatchAclList: checking manager
2000/07/31 16:15:27| aclMatchAcl: checking 'acl manager proto
cache_object'
2000/07/31 16:15:27| aclMatchAclList: returning 0
2000/07/31 16:15:27| aclCheck: checking 'http_access deny manager'
2000/07/31 16:15:27| aclMatchAclList: checking manager
2000/07/31 16:15:27| aclMatchAcl: checking 'acl manager proto
cache_object'
2000/07/31 16:15:27| aclMatchAclList: returning 0
2000/07/31 16:15:27| aclCheck: checking 'http_access deny !Safe_ports'
2000/07/31 16:15:27| aclMatchAclList: checking !Safe_ports
2000/07/31 16:15:27| aclMatchAcl: checking 'acl Safe_ports port 80 21
443 563 70 210 1025-65535'
2000/07/31 16:15:27| aclMatchAclList: returning 0
2000/07/31 16:15:27| aclCheck: checking 'http_access allow CONNECT
!SSL_ports'
2000/07/31 16:15:27| aclMatchAclList: checking CONNECT
2000/07/31 16:15:27| aclMatchAcl: checking 'acl CONNECT method CONNECT'
2000/07/31 16:15:27| aclMatchAclList: returning 0
2000/07/31 16:15:27| aclCheck: checking 'http_access allow all ldap'
2000/07/31 16:15:27| aclMatchAclList: checking all
2000/07/31 16:15:27| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2000/07/31 16:15:27| aclMatchIp: '57.20.16.230' found
2000/07/31 16:15:27| aclMatchAclList: checking ldap
2000/07/31 16:15:27| aclMatchAcl: checking 'acl ldap proxy_auth
REQUIRED'
2000/07/31 16:15:27| aclDecodeProxyAuth: header = 'Basic
dTMwMDQyMjp2YW0xMjM='
2000/07/31 16:15:27| aclDecodeProxyAuth: cleartext = 'userme:123456'
2000/07/31 16:15:27| aclMatchProxyAuth: checking user 'userme'
2000/07/31 16:15:27| aclMatchProxyAuth: user 'userme' not yet known
2000/07/31 16:15:27| aclMatchAclList: returning 0
2000/07/31 16:15:27| aclCheck: checking password via authenticator
2000/07/31 16:15:27| aclDecodeProxyAuth: header = 'Basic
dTMwMDQyMjp2YW0xMjM='
2000/07/31 16:15:27| aclDecodeProxyAuth: cleartext = 'userme:123456'
2000/07/31 16:15:27| aclLookupProxyAuthStart: going to ask authenticator
on userme
2000/07/31 16:15:27| authenticateStart: 'userme:123456'
2000/07/31 16:15:27| helperDispatch: Request sent to authenticator #1,
15 bytes
Unable to bind
2000/07/31 16:15:27| helperHandleRead: 4 bytes from authenticator #1.
2000/07/31 16:15:27| helperHandleRead: end of reply found
2000/07/31 16:15:27| authenticateHandleReply: {ERR}
2000/07/31 16:15:27| aclLookupProxyAuthDone: result = ERR
2000/07/31 16:15:27| aclCheck: checking 'http_access allow all ldap'
2000/07/31 16:15:27| aclMatchAclList: checking all
2000/07/31 16:15:27| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2000/07/31 16:15:27| aclMatchIp: 'XX.XX.XX.230' found
2000/07/31 16:15:27| aclMatchAclList: checking ldap
2000/07/31 16:15:27| aclMatchAcl: checking 'acl ldap proxy_auth
REQUIRED'
2000/07/31 16:15:27| aclDecodeProxyAuth: header = 'Basic
dTMwMDQyMjp2YW0xMjM='
2000/07/31 16:15:27| aclDecodeProxyAuth: cleartext = 'userme:123456'
2000/07/31 16:15:27| aclMatchProxyAuth: checking user 'userme'
2000/07/31 16:15:27| aclMatchProxyAuth: authentication failed for user
'userme'
2000/07/31 16:15:27| aclMatchAclList: returning 0
2000/07/31 16:15:27| aclCheck: match found, returning 2
2000/07/31 16:15:27| aclCheckCallback: answer=2
I have a ldap server running Windows NT4 and Netscape Directory
Server version 4.01 .. lets call it "Netldap" with an ip of
192.168.0.113 again the subnet is 255.255.255.224
There is a Checkpoint firewall between them set to have "Redboy" as
host and "Netldap" as destination with the ldap port 389 open to the
destination.
What have i done WRONG??
thanks for the help.
Madhav Diwan ( mdiwan@lsyna.com)
Received on Tue Aug 01 2000 - 10:14:06 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:54:41 MST