Earlier today, Adrian Eurell wrote:
> I have been asked the question, is it possible to use squid (On Solaris
> 2.6 platform) and have the Squid user authentication information come from
> Novell's NDS database. I am interested to know if it is possible and
> maybe anyone who has done it.
Is it possible? Yes. Has anyone done it? Not successfully, AFAIK (in my
case, I have no need so I've never bothered trying).
Essentially, Squid authenticates via an external authentication programme; as
long as that external authentication programme can communicate with an NDS
server, you can authenticate users that way.
The two most common ways of communicating with an NDS server are via NDS'
native protocols, or via LDAP; depending on your setup (and available
software solutions), you can either communicate directly with the NDS server
simply for the purposes of authenticating a Squid user, or your external
authentication programme can simply piggy-back on another API (eg., PAM) that
provides authentication support.
PAM (pluggable authentication modules) permit configuring different
authentication sources for different PAM-aware applications; in this case,
you'd use a PAM-based external authenticator with Squid and configure both it
and your system to communicate with the NDS server (even if other
applications on the system did not).
Beware, though, that Solaris 2.6 has a PAM bug (and Sun is unwilling to
release a fix) that means any PAM-aware application actually has to be coded
around the API spec in order for authentication to work (Sun claims Solaris 7
is fixed, but I haven't checked).
If using NDS' native protocols, Novell sells "NDS for Solaris" that provides
both a PAM and an NSS module for communicating with a standard NetWare NDS
server. There may be open source modules floating around offering similar
functionality, but the last I heard they concentrated mainly on NetWare 3 and
maybe 4 in bindery compatibility, but not NetWare 5 (anyone have any newer
news on this?).
If you want to try your hand at using LDAP and are running the latest
version/SP of NetWare 5 (ie., NDS 8 SP1 - you'd have to be extremely lucky and
undemanding in order to get NetWare 4 working with LDAP), you could use the
open source PAM and NSS modules from PADL Software (www.padl.com) that
communicate with a remote LDAP server; for this, you'll probably need to add
additional object classes and attributes to your NDS server, but "it can be
done" (that is authentication against NDS via LDAP).
The documentation is really starting to age (I must get around to updating it
one of these days), but a starting point that may help is here:
http://www.nepean.uws.edu.au/users/david/qn99/
It encompasses using NDS (NetWare 5/NDS8) for storing user information and
authenticating/lookups from Solaris 2.6 using LDAP; it won't provide
everything you need for a Squid solution, but if you can get the users into
the NDS (and make them visible via LDAP, if that's your chosen path), then
being able to successfully authenticate using LDAP command line tools will
take you over 80% of the way towards getting Squid authentication working.
Cheers..
dave
Received on Fri Dec 24 1999 - 04:02:57 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:50:06 MST