Re: [squid-users] Squid 2.5 w/ LDAP

From: Steven Adams <steve@dont-contact.us>
Date: Fri, 18 Mar 2005 12:03:55 +1100

Hi,

Thanks for the reply.

What i actually want to do is depending on which group the user is
depends how much access they get.

Eg group "somesites" gets access to only some sites.. Group "allsites"
gets access to all sites.

Is this possible, as far as i can see it only works with one group?

I tried what you said below, how do u actually enter the username and
password in because all i get back if i type

<username>

ERR

Thanks
Steve

Martin Richard wrote:

>Hi Steve,
>
> I've just finished installing squid with auth on a eDirectory LDAP
>(Novel 5.11) and after some headaches here's what worked
>
> 1. run configure with --enable-basic-auth-helpers=LDAP
>
> This will compile and install the ldap helper programs
>
> 2. test the process from the command line, from your squid
>installation's /libexec directory:
>
> ./squid_auth_ldap \
> -H ldap://YourEDirServerHere \
> -D "cn=validuser,ou=hisOU,O=hisOrg" \
> -w passwordfortheuser \
> -b "ou=something,O=something" \
> -s sub \
> -v 3 \
> -f "(&(&(objectClass=person)(cn=%s)) \
> (groupMembership=cn=SquidUsers,ou=groupsOU,O=groupsOrg))"
>
> Here's what all of this does:
>
> -H indicates your ldap server in URI format
> -D is a user's full DN who can connect to the tree. I created a
>SquidSrv user for this here.
> -w is that users password
> -b is the highest point in your tree where you want to start
>searching (ie you can limit to an OU instead of searching the WHOLE
>tree each time)
> -s sub allows to search the subtree starting at the -b point
> -v 3 is for LDAP version 3
> -f is the LDAP search filter. This perticular one search for a
>person object with the specified username (the %s) and member of the
>SquidUsers group (group I created for allowing net access here)
>
> When you run that, you'll get a waiting cursor.. the program waits
>for input from STDIN.. to test simply enter a username and a password
>to test for authentication.. you'll get OK if the username is valid
>and the password good, or ERR if anything failed. CTRL-D will end the
>session..
>
> GOTCHA: by default, eDirectory won't accept cleartext passwords. You
>have to use ldadps:// to use the SSL port or use the -Z switch to use
>TLS over the normal TCP port.. I didnt want to figure out what was
>wrong with my ssl certificate, so I just configure the ldap server to
>accept cleartext password from Console One.. that's one fight I'm
>keeping for a less busy moment :)
>
> 3. when everyting is working, put the command you used in your squid
>config **all on one line**..
>
> auth_param basic program /path/to/libexec/squid_auth_ldap -etcetcetc
>
> And use it in an ACL
>
> acl Verified proxy_auth REQUIRED
>
> And allow the traffic on that ACL
>
> http_access allow Verified all
> http_access deny all
>
> The 2nd line is to restrict anyone who couldn't be auth'd.. adjust
>according to your own acl's and policies..
>
> Hope this helps !
>
> Martin
>
>On Thu, 17 Mar 2005 16:33:13 +1100, Steven Adams <steve@drifthost.com> wrote:
>
>
>>Hi,
>>
>>I would like to get LDAP auth working with Squid over my EDIR Tree.
>>
>>I would like to to auth based on what group the user is in and then have
>>an acl from there.
>>
>>Can anyone point me in the right direction, maybe docs or something to
>>get this working, i have read on the auth_ldap_users (i think it is) but
>>was no really able to find much good doco on how to do it with groups.
>>
>>Thanks!
>>Steve
>>
>>
>>
>
>
>
>
>
Received on Thu Mar 17 2005 - 18:04:04 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST