This probably needs to go to squid-dev, but...
I have gotten ldapsearch to work with Novell NDS over SSL. The command used was:
ldapsearch -D cn=LDAP-Query,o=org -W -H ldaps://server -b o=org cn=user
According to Novell 'you MUST use the ldapsearch option -H [it uses ldap_initialize(...,"ldaps://server/) which connects encrypted] if you use -Z openldap connects unencrypted and then attempts to negotiate encryption'
I took a look at the squid_ldap_auth.c from 2.6-DEVEL-20021212 and that is exactly what is happening. I don't know openldap enough to want to tackle writing the patch, but if no one has picked it up by then I'll take a stab at it after the 1st.
Tim Bernhardson
Senior Technical Engineer
Certified Citrix Metaframe Administrator
Certified CyberGuard Administrator
Certified AIX 4.3 System Administrator
Sun-Maid Growers of California
7273 Murray Drive, Ste 18
Stockton, CA 95210
tbernhar at sunmaid dot com
>>> Henrik Nordstrom <hno@squid-cache.org> 12/17/02 01:27PM >>>
Note: To be able to use the Squid LDAP helpers your relly need to be
able to first use the OpenLDAP tools to connect to your LDAP server. If
you cannot get the OpenLDAP tools to connect then the Squid helpers
almost certainly won't be able to either..
Finding LDAP server community or vendor support is also most likely a
lot easier when using the OpenLDAP tools as reference.
Regards
Henrik
Tim Bernhardson wrote:
>
> Yes, We are running an SSL enabled ldap server.
>
> The connection starts then fails (the message on the Novell Server is - SSL handshare failed, Error -25
>
> I've looked up what documentation I can find and error # 25 is not listed...
>
> I did export the Root cert from Novell (and convert it from DER to PEM), and add the line CAPath=<directory> to the ldap.conf file.
>
> When I have a chance today I will be placing a question about the 25 error on one of the Novell Forums to see if anyone there has an idea.
>
> Tim
> >>> "Dan Cave" <mogul@totalise.co.uk> 12/17/02 03:16AM >>>
> Tim,
>
> Is you Novell NDS server running an SSL enabled ldap server? you need to
> make sure that any connections between your squid box and novell server
> must be ssl'd (if that's what you want to achieve, otherwise normal )
>
> Does your squid server have a valid ssl certificate?
>
> try doing a strace/lsof/ptrace of your squid process to see whats going on
> when you try and connect to the novell box.. that'll point you in the right
> direction.
>
> dan
>
> ----- Original Message -----
> From: "Tim Bernhardson" <TBERNHAR@sunmaid.com>
> To: <squid-users@squid-cache.org>
> Sent: Monday, December 16, 2002 6:41 PM
> Subject: RE: [squid-users] LDAP & Novell
>
> I am at the same point Jay is at in attempting to get ldap authentication
> via SSL to Novell NDS.
>
> When I try squid_ldap_auth (or ldapsearch) from the command line I get the
> message "squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact
> LDAP server'" (if I take out the SSL options it works fine).
>
> I'm thinking at this point that it is a problem between openssl & Novell
> since I can connect to the Novell server & do queries with no problems using
> a Java Utility (ldapbrowser) that uses JSSE instead of OpenSSL.
>
> Does anyone have this running against Novell NDS using SSL with the Novel
> server using self signed certificates (I ran the command 'openssl
> s_client -connect novellserver:636' to double check the SSL Cert and the
> only error that came up was that it was a self signed certificate).
>
> Tim Bernhardson
> Senior Technical Engineer
> Certified Citrix Metaframe Administrator
> Certified CyberGuard Administrator
> Certified AIX 4.3 System Administrator
> Sun-Maid Growers of California
> 7273 Murray Drive, Ste 18
> Stockton, CA 95210
>
> tbernhar at sunmaid dot com
Received on Mon Dec 23 2002 - 15:47:11 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:11 MST