Re: [squid-users] Squid 2.5 w/ LDAP

From: Martin Richard <martin.richard@dont-contact.us>
Date: Thu, 17 Mar 2005 11:57:19 -0500

Hi Steve,

  I've just finished installing squid with auth on a eDirectory LDAP
(Novel 5.11) and after some headaches here's what worked

  1. run configure with --enable-basic-auth-helpers=LDAP

  This will compile and install the ldap helper programs

  2. test the process from the command line, from your squid
installation's /libexec directory:

  ./squid_auth_ldap \
     -H ldap://YourEDirServerHere \
     -D "cn=validuser,ou=hisOU,O=hisOrg" \
     -w passwordfortheuser \
     -b "ou=something,O=something" \
     -s sub \
     -v 3 \
     -f "(&(&(objectClass=person)(cn=%s)) \
                (groupMembership=cn=SquidUsers,ou=groupsOU,O=groupsOrg))"

  Here's what all of this does:

  -H indicates your ldap server in URI format
  -D is a user's full DN who can connect to the tree. I created a
SquidSrv user for this here.
  -w is that users password
  -b is the highest point in your tree where you want to start
searching (ie you can limit to an OU instead of searching the WHOLE
tree each time)
  -s sub allows to search the subtree starting at the -b point
  -v 3 is for LDAP version 3
  -f is the LDAP search filter. This perticular one search for a
person object with the specified username (the %s) and member of the
SquidUsers group (group I created for allowing net access here)

  When you run that, you'll get a waiting cursor.. the program waits
for input from STDIN.. to test simply enter a username and a password
to test for authentication.. you'll get OK if the username is valid
and the password good, or ERR if anything failed. CTRL-D will end the
session..

  GOTCHA: by default, eDirectory won't accept cleartext passwords. You
have to use ldadps:// to use the SSL port or use the -Z switch to use
TLS over the normal TCP port.. I didnt want to figure out what was
wrong with my ssl certificate, so I just configure the ldap server to
accept cleartext password from Console One.. that's one fight I'm
keeping for a less busy moment :)

  3. when everyting is working, put the command you used in your squid
config **all on one line**..

    auth_param basic program /path/to/libexec/squid_auth_ldap -etcetcetc

  And use it in an ACL

    acl Verified proxy_auth REQUIRED

  And allow the traffic on that ACL

    http_access allow Verified all
    http_access deny all

  The 2nd line is to restrict anyone who couldn't be auth'd.. adjust
according to your own acl's and policies..

  Hope this helps !

  Martin

On Thu, 17 Mar 2005 16:33:13 +1100, Steven Adams <steve@drifthost.com> wrote:
> Hi,
>
> I would like to get LDAP auth working with Squid over my EDIR Tree.
>
> I would like to to auth based on what group the user is in and then have
> an acl from there.
>
> Can anyone point me in the right direction, maybe docs or something to
> get this working, i have read on the auth_ldap_users (i think it is) but
> was no really able to find much good doco on how to do it with groups.
>
> Thanks!
> Steve
>
Received on Thu Mar 17 2005 - 09:57:21 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST