RE: LDAP authentication with Squid

From: Sparks, Alan <asparks@dont-contact.us>
Date: Mon, 6 Jul 1998 10:14:19 -0700

I've implemented LDAP authentication on both 1.1.20 and 1.2b22... the
former using a patch by Clayton Donley, the latter using the external
proxy_auth patch. I really like the latter (short of the IE4 hang I've
been recently speaking of).

The LDAP auth works basically by taking the user-supplied username and
password, and attempting to a) look up the DN of the user having a UID
attribute equal to the supplied username, and b) attempting a bind to
the LDAP server to that DN using the supplied password. The password is
normally maintained in the entry's userpassword attribute. If the bind
succeeds, cool.

I wrote a small C program to go with the proxy_auth patch to implement
the auth server, but it could easily be accomplished using a small Perl
program instead.

The LDAP traffic is minimal, 'cuz Squid caches the results of auth
lookups. It's generally quite fast, too.

The patch and supporting doc for 1.2b22 is at
http://www.IAEhv.nl/users/devet/squid/proxy_auth/. The patch for 1.1.20
is at http://miso.wwa.com/~donley/squid.html.

It's all quite easy to implement, and has been quite effective here.
The stuff works well with IE3/4 and NS 3/4... The effect to the user is
a dialog box asking for username/password pops up the first time in the
session the user attempts to access the proxy. The username/password
stuff is thereafter cached for the session by the browser, so the user
need not re-authenticate for the duration of the session.

Hope this helps.
-Alan

-----Original Message-----
From: rstagg@csc.com [mailto:rstagg@csc.com]
Sent: Monday, July 06, 1998 1:44 AM
To: squid-users@ircache.net
Subject: LDAP authentication with Squid

Squidsters,

Over time I've seen a few references on here to LDAP authentication; and
I've looked at the available patch to do the job. Now, suddenly, I've
been
handed a requirement to implement same; with instructions to replace
Squid
with Netscape Proxy to permit integration with Netscape directory
server.

Clearly, I don't want to do this. I've been researching LDAP most of the
afternoon, but I have yet to find the answer to my most fundamental
question:

** How does LDAP authentication _work_? ** That is, what does the user
see?
What is the dialogue between servers? What changes have to be made to
Squid
to get all this to happen?

Can anyone point me in the direction of a good webpage/FAQ describing
the
ins and outs of authenticating users at a proxy server using an LDAP
directory? Is it really feasible at all? Should I just bite the bullet
and
go for Netscrape Proxy?

Regards

Richard Stagg
Received on Mon Jul 06 1998 - 10:15:15 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:04 MST