[squid-users] Issues with squid_ldap_auth against a windows AD Server

From: Mike Langhorst <mike.langhorst_at_gmail.com>
Date: Wed, 25 Aug 2010 13:14:22 -0700

I've been struggling with getting Squid to authenticate against AD
using squid_ldap_auth.
OS:  OEL 5.3 (Redhat)
Squid: squid-2.6.STABLE21-3.el5
I've been able to get it to authenticate successfully against SunONE
Directory server, but our internal users aren't in that LDAP but
should in theory show the pieces are functional.
Here's the relevant section from squid.conf, obfuscation where necessary:

auth_param basic program /usr/lib64/squid/squid_ldap_auth -d -R -v 3
-d -b "dc=oa,dc=DOMAIN,dc=com" -D "CN=SURNAME\,
Givenname,OU=Basic,OU=Users,DC=oa,DC=DOMAIN,DC=com" -w "XXXXXX" -f
sAMAccountName=%s -h AD_SERVER.oa.domain.com
auth_param basic children 5
auth_param basic realm "Restricted Use"
auth_param basic credentialsttl 10 minutes

Having this in squid.conf gives the error:
squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials'

However if I copy & paste this exact line starting with the
/usr/lib64/squid/squid_ldap_auth is successful:

bash-3.2$ /usr/lib64/squid/squid_ldap_auth -d -R -v 3 -d -b
"dc=oa,dc=DOMAIN,dc=com" -D "CN=SURNAME\,
Givenname,OU=Basic,OU=Users,DC=oa,DC=DOMAIN,DC=com" -w "XXXXXXX" -f
sAMAccountName=%s -h AD_SERVER.oa.domain.com
user2 pass
user filter 'sAMAccountName=user2', searchbase 'dc=oa,dc=DOMAIN,dc=com'
attempting to authenticate user 'CN=lastname\,
firstname,OU=Basic,OU=ISO_Users,DC=oa,DC=caiso,DC=com'
OK

Any ideas from the list?  All searches tell me the user or password is
wrong, but that's not the case.  Looks like squid's parsing of the
binddn seems broken on this.
Received on Wed Aug 25 2010 - 20:14:29 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 26 2010 - 12:00:02 MDT