Re: [squid-users] ldap group authentication problem

Hi Chris,

the standard group_ldap_auth does not support multiple group
authentication. I attach a multigroup supporting patch.

Now the group_ldap_auth gives a feedback if authentication against
user/password failed or if user against desired group failed.

Regards,
Dirk

Chris Lundell schrieb:

> Hello,
>
> I'm having some problems authenticating multiple groups via
> group_ldap_auth in the acl list.
>
> group_ldap_auth won't authenticate each line in turn, and so I can't
> authenticate past the first line in the acl list, i.e.
>
> acl internet url_regex "/urls/internet"
> acl intranet url_regex "/urls/intranet"
>
> http_access allow internet group_A
> http_access allow intranet group_B
>
> All users in group_B are kicked out because group_ldap_auth thinks that
> these users should be in group_A. However, users in group_A are fine.
> My debugging lists the first line as the last line evaluated before
> kicking the user out (namely, those in group_B). Any suggestions or
> ideas?
>
> Thank you,
> Chris

diff -uNr squid-2.3.STABLE3/src/acl.c squid-2.3.STABLE3.ldap_group/src/acl.c
--- squid-2.3.STABLE3/src/acl.c Fri Mar 23 22:52:14 2001
+++ squid-2.3.STABLE3.ldap_group/src/acl.c Fri Mar 23 22:46:35 2001
@@ -1374,6 +1377,7 @@
     char *user, *password, *group;
     wordlist *nextgroup;
     int dummyint;
+ int password_ok;
     LOCAL_ARRAY(char, usergroup, 256);
 
     if (!aclDecodeProxyAuth(proxy_auth, &user, &password, login_buf,
@@ -1402,6 +1406,8 @@
             debug(28, 4)
                 ("aclMatchLdapAuth: authentication failed for user '%s' group '%s'\n",
                 user, (ldap_user->group == NULL) ? "NONE" : ldap_user->group);
+
+ password_ok = ( ldap_user->group == NULL ) ? 1 : (0 != strcmp(ldap_user->group, "PASSWORD"));
             aclFreeLdapAuthUser(ldap_user);
             /*
              * copy username to request for logging on client-side
@@ -1410,7 +1416,7 @@
              */
             if (!*checklist->request->user_ident)
                 xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ);
- return -2;
+ return (password_ok ? 0 : -2);
         } else {
             /* auth succeeded */
             debug(28,
@@ -2181,6 +2191,9 @@
                 checklist->ldap_user->group = xstrdup(++group);
             }
         } else if (strncasecmp(result, "f", 1) == 0) {
+ if ((group = strchr(result, ' ')) != NULL) {
+ checklist->ldap_user->group = xstrdup(++group);
+ }
             checklist->ldap_user->auth_ok = 0;
             checklist->state[ACL_LDAP_AUTH] = ACL_LOOKUP_DONE;
         }
diff -uNr squid-2.3.STABLE3/auth_modules/GROUP_LDAP/group_ldap_auth.c squid-2.3.STABLE3.ldap_group/auth_modules/GROUP_LDAP/group_ldap_auth.c
--- squid-2.3.STABLE3/auth_modules/GROUP_LDAP/group_ldap_auth.c Fri Mar 23 22:52:12 2001
+++ squid-2.3.STABLE3.ldap_group/auth_modules/GROUP_LDAP/group_ldap_auth.c Fri Mar 23 22:31:55 2001
@@ -145,8 +146,10 @@
             } else {
                 printf("p %s\n", group);
             }
+ } else if (err == 6) {
+ printf("f PASSWORD\n");
         } else {
- printf("f\n");
+ printf("f GROUP\n");
         }
 
         /* free the glist */
@@ -202,6 +205,14 @@
         return 3;
     }
 
+#ifdef USE_LOG
+ fprintf(logfd, "binding as %s\n", userdn);
+#endif
+ if (ldap_simple_bind_s(ld, userdn, password) != LDAP_SUCCESS) {
+ free(userdn);
+ return 6;
+ }
+
     if (glist != NULL) {
 
         while (glist != NULL && !found) {
@@ -298,14 +309,6 @@
             free(userdn);
             return 5;
         }
- }
-
-#ifdef USE_LOG
- fprintf(logfd, "binding as %s\n", userdn);
-#endif
- if (ldap_simple_bind_s(ld, userdn, password) != LDAP_SUCCESS) {
- free(userdn);
- return 6;
     }
 
     free(userdn);
Received on Mon Apr 02 2001 - 13:24:03 MDT