Hi Steve,
I've just finished installing squid with auth on a eDirectory LDAP
(Novel 5.11) and after some headaches here's what worked
1. run configure with --enable-basic-auth-helpers=LDAP
This will compile and install the ldap helper programs
2. test the process from the command line, from your squid
installation's /libexec directory:
./squid_auth_ldap \
-H ldap://YourEDirServerHere \
-D "cn=validuser,ou=hisOU,O=hisOrg" \
-w passwordfortheuser \
-b "ou=something,O=something" \
-s sub \
-v 3 \
-f "(&(&(objectClass=person)(cn=%s)) \
(groupMembership=cn=SquidUsers,ou=groupsOU,O=groupsOrg))"
Here's what all of this does:
-H indicates your ldap server in URI format
-D is a user's full DN who can connect to the tree. I created a
SquidSrv user for this here.
-w is that users password
-b is the highest point in your tree where you want to start
searching (ie you can limit to an OU instead of searching the WHOLE
tree each time)
-s sub allows to search the subtree starting at the -b point
-v 3 is for LDAP version 3
-f is the LDAP search filter. This perticular one search for a
person object with the specified username (the %s) and member of the
SquidUsers group (group I created for allowing net access here)
When you run that, you'll get a waiting cursor.. the program waits
for input from STDIN.. to test simply enter a username and a password
to test for authentication.. you'll get OK if the username is valid
and the password good, or ERR if anything failed. CTRL-D will end the
session..
GOTCHA: by default, eDirectory won't accept cleartext passwords. You
have to use ldadps:// to use the SSL port or use the -Z switch to use
TLS over the normal TCP port.. I didnt want to figure out what was
wrong with my ssl certificate, so I just configure the ldap server to
accept cleartext password from Console One.. that's one fight I'm
keeping for a less busy moment :)
3. when everyting is working, put the command you used in your squid
config **all on one line**..
auth_param basic program /path/to/libexec/squid_auth_ldap -etcetcetc
And use it in an ACL
acl Verified proxy_auth REQUIRED
And allow the traffic on that ACL
http_access allow Verified all
http_access deny all
The 2nd line is to restrict anyone who couldn't be auth'd.. adjust
according to your own acl's and policies..
Hope this helps !
Martin
On Thu, 17 Mar 2005 16:33:13 +1100, Steven Adams <steve@drifthost.com> wrote:
> Hi,
>
> I would like to get LDAP auth working with Squid over my EDIR Tree.
>
> I would like to to auth based on what group the user is in and then have
> an acl from there.
>
> Can anyone point me in the right direction, maybe docs or something to
> get this working, i have read on the auth_ldap_users (i think it is) but
> was no really able to find much good doco on how to do it with groups.
>
> Thanks!
> Steve
>
Received on Thu Mar 17 2005 - 09:57:21 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST