Re: LDAP authentication

Dear Ilker & squid users,

I've got my squid ldap authentication working. Thanks a lot!

But there's one thing I noticed: when I added the authentication I was
surprised that the disallowed times for my users to access the Internet
is no longer working - I mean they can now readily access the whole web
even after the allowed times. Here's my ACLs and http_access
definitions:

I've tried making changes to the ACLs. Here is my complete list:

     authenticate_program /usr/local/squid/bin/squid_ldap_auth
myldapserver

    acl all src 0.0.0.0/0
     acl ldap proxy_auth REQUIRED
     acl allowedsites dstdomain dhl.com
     acl allowedtimes time S M T W H F A 06:00-21:00

     http_access allow ldap
     http_access allow allowedsites
     http_access allow allowedtimes
     http_access deny all

Previously, before implementing the authentication last Monday, my users
are not able to access non-DHL sites after the allowed times (from 2101
hrs to 0559 hrs), and that they are prompted of an error message telling
that they are only allowed from 0600 hrs to 2100 hrs. They could
however, only access valid DHL sites even during disallowed times.

Now, however after implementing authentication, I noticed that they
could readily access non-DHL sites even during the disallowed times!
(i.e., from 2101 hrs onwards) Reviewing the ACLs I have above, what
seems to be wrong?

Joel

R.Ilker Gokhan wrote:

>
>
> Ok.. ;)
> Firstly, I think you shouldn't add search base to authneticate_program
> line.you should change your own search base into the squid_ldap_auth.c
> (#define SEARCHBASE ...)
>
> second, add the 28,6 29,5 to debug_options in squid.conf and observe
> cache_log
>
> Ilker G.
>
> -----Original Message-----
> From: Joel Taqueban [mailto:jtaqueba@apme-ops.dhl.com]
> Sent: Monday, May 01, 2000 6:22 AM
> To: R.Ilker Gokhan; squid-users@ircache.net
> Subject: Re: LDAP authentication
>
> Ilker,
> I've made the changes on your advise but still I'm having "Proxy
> authentication failed" message:
> Here's my new acl
> authenticate_program /usr/local/squid/bin/squid_ldap_auth
> myldapservername
> acl LAN src 199.40.216.0/255.255.255.0
> acl ldap proxy_auth REQUIRED
> http_access allow LAN ldap
> http_access deny all
>
> I've even changed the authenticate line with a search base and port:
> authenticate_program /usr/local/squid/bin/squid_ldap_auth o=dhl.com
> myldapservername 389
>
> Anything else I need to look into?
> joel
> R.Ilker Gokhan wrote:
> Try:authenticate_rpogram ....................acl LAN src
> your_network_ip/subnet_maskacl ldap proxy_auth REQUIREDhttp_access
> allow LAN ldap /* you should determine for authnetication which ip or
> user group or destination domain etc..*/http_access deny allGood
> luckIlker G.
>
> -----Original Message-----
> From: Joel Taqueban [mailto:jtaqueba@apme-ops.dhl.com]
> Sent: Monday, April 24, 2000 5:38 PM
> To: R.Ilker Gokhan; squid-users@ircache.net
> Subject: Re: LDAP authentication
>
> Ilker,
> I found this mail from the archive and tried to simulate having my
> users authenticated first but I always get a 'Proxy Authentication
> failed" error. even though my ldap server name is correct. What do
> you think is wrong.
>
> authenticate_program /usr/local/squid/bin/squid_ldap_auth
> myldapservername
> acl ldap proxy_auth REQUIRED
> http_access allow ldap
> http_access deny all
>
> Please help
> Joel
>
>
> R.Ilker Gokhan wrote:
>
> The authenticate_option is used to the older squid version. You should
> remove it. Try in the squid.conf:
> authenticate_program /usr/local/squid/bin/squid_ldap_auth
> <ldap_server_name>
> Good luck..
> Ilker G.
> -----Original Message-----
> From: David Minor [mailto:dminor@salud.unm.edu]
> Sent: Wednesday, April 19, 2000 11:15 PM
> To: squid-users@ircache.net
> Subject: LDAP authentication
> OK. We have been running squid for a while now with the
> ncsa_auth authentication. This is fine as it goes, but we would l
> ike to take advantage of our LDAP server for this purpose.
> I have been trying to set this up using the external authentication
> programs mentioned in the FAQ. Neither has been working for me.
> Here is what I see:
> 1) The ldap_auth.c program. The instructions indicate that the
> following line needs to be in squid.conf:
> authenticate_options ldapserver.foo.bar 389 xxx uid
> When this is there however squid start up with the error:
> parseConfigFile: line 642 unrecognized: 'authenticate_options
> ldapserver.foo.bar 389 xxx uid'
> Should this work or is there something different that I should do?
> 2) With the squid_auth_ldap program, when I try to run make on it
> I get an error about no rule to make target.
> Sorry if these are basic questions but I don't see them in the list
> archives.
> (Of course I'm open to trying any other solution that works!)
> BTW This is squid 2.3STABLE51on a RedHat machine.
> Thanks,
> david.
Received on Thu May 04 2000 - 08:16:50 MDT