The attached code is functionally equivalent to the normal LDAP
authenticator using a LDAP search filter to match the user attribute. It
is NOT a group ldap authenticator.
The group LDAP patch is meant to be user when you want to return the
group name to Squid to do further processing in Squid's ACL's based on
the group. It involces both a special authenticator, and patches to the
Squid source code with new configuration directives and ACL types for
matching LDAP groups.
--
Henrik Nordstrom
Squid Hacker
Markus.Forrer@coop.ch wrote:
>
> Yes there is a big reason. We've have to control 4000 Users.
>
> Some have full access, some have restricted access. Currently where using
> CSM Proxy which authenticat against NT Groups.
>
> This is the reason, why I want to use group LDAP.
>
> Now I use this one, which I modified to use "groupMembership" instead of
> "objectClass"
>
> And it works....
>
> /***************************************************************************
> *****
> *
> *
> * LDAP Authentication Program for use with squid and new proxy
> Authentication *
> * patch.
> *
> *
> *
> * Author : Felix Meschberger, Niederdorf, Switzerland
> *
> * fmesch@dial.eunet.ch
> *
> *
> *
> * History :
> *
> *
> *
> * 15-Jun-98 1.0 mef first created based on ldapsearch from the LDAP 3.3
> *
> * Distribution from University of Michigan
> *
> *
> *
> * 20-Apr-01 1.1 Chris Ross, chris@uksolutions.co.uk, UK Solutions
> *
> * Change auth code to bind on username and password,
> will *
> * work for anyone with a uid in the database. Added
> support *
> * for objectClass 'squidUser'. This is pretty cool.
> *
> * Indented code properly. LDAP_CHECK_CLASS is the object
> *
> * class to check.
> *
> *
> *
>
> ****************************************************************************
> ****/
>
> #include <stdio.h>
> #include <string.h>
> #include <ctype.h>
> #include <time.h>
> #include <lber.h>
> #include <ldap.h>
>
> #define LDAP_DEFAULT_HOST "ldapserver"
> #define LDAP_DEFAULT_PORT 389
> #define LDAP_DEFAULT_BINDDN "o=coop"
> #define LDAP_DEFAULT_BINDPW ""
> #define LDAP_DEFAULT_BASEDN "o=coop"
>
> #define LDAP_CHECK_CLASS "Name of the group to check"
>
> #define AUTH_DEFAULT_FILTER "cn=%s"
> #define AUTH_DEFAULT_CN "cn"
> #define AUTH_DEFAULT_O "o"
>
> static char *ldaphost = LDAP_DEFAULT_HOST;
> static int ldapport = LDAP_DEFAULT_PORT;
> static char *binddn = LDAP_DEFAULT_BINDDN;
> static char *bindpw = LDAP_DEFAULT_BINDPW;
> static char *basedn = LDAP_DEFAULT_BASEDN;
>
> int main( int argc, char *argv[] )
> {
> char *filtpattern = AUTH_DEFAULT_FILTER,
> *attrs[] = { AUTH_DEFAULT_CN,
> AUTH_DEFAULT_O,
> NULL },
> buf[256],
> *user,
> *passwd;
> int i;
> LDAP *ld;
> extern char *optarg;
> extern int optind;
>
> if( (ld = ldap_open( ldaphost, ldapport )) == NULL )
> {
> perror( ldaphost );
> exit( 1 );
> }
>
> while( fgets(buf, 256, stdin) != NULL )
> {
> /* broguht into the while() block so that we rebind */
> if( ldap_bind_s( ld, binddn, bindpw, LDAP_AUTH_SIMPLE ) !=
> LDAP_SUCCESS )
> {
> ldap_perror( ld, "ldap_bind" );
> exit( 1 );
> }
> user = strtok( buf, " " );
> passwd = strtok( NULL, " \n" );
> if( checkpwd( ld, basedn, attrs, filtpattern, user, passwd ) )
> {
> printf("OK\n");
> }
> else
> {
> printf("ERR\n");
> }
> fflush(stdout);
> }
> ldap_unbind( ld );
> exit( 0 );
> }
>
> int checkpwd( LDAP *ld, char *base, char **attrs, char *filtpatt, char
> *user, char *password )
> {
> char filter[ BUFSIZ ], **cn = NULL, **o = NULL;
> char FQDn[256];
> int rc;
> LDAPMessage *res, *e;
> int i = 0;
>
> sprintf( filter, filtpatt, user );
> if( ldap_search( ld, base, LDAP_SCOPE_SUBTREE, filter, attrs, 0 ) == -1 )
>
> {
> ldap_perror( ld, "ldap_search" );
> return 0;
> }
> while( (rc = ldap_result( ld, LDAP_RES_ANY, 0, NULL, &res )) ==
> LDAP_RES_SEARCH_ENTRY )
> {
> e = ldap_first_entry( ld, res );
> snprintf( FQDn, 256, "%s", ldap_get_dn( ld, e ) );
> ldap_msgfree( res );
> }
> if( rc == -1 )
> {
> ldap_perror( ld, "ldap_result" );
> return 0;
> }
> if( (rc = ldap_result2error( ld, res, 0 )) != LDAP_SUCCESS )
> {
> ldap_perror( ld, "ldap_search" );
> return 0;
> }
> ldap_msgfree( res );
>
> if( strlen( FQDn ) > 0 && password != NULL && strlen( password ) > 0 )
> {
> if( ldap_simple_bind_s( ld, FQDn, password ) != LDAP_SUCCESS )
> {
> return 0;
> }
> #ifdef LDAP_CHECK_CLASS
> /* now we have to check toi see if they have access */
> if( ldap_compare_s( ld, FQDn, "groupMembership", LDAP_CHECK_CLASS ) ==
> LDAP_COMPARE_TRUE )
> {
> #endif
> return 1;
> #ifdef LDAP_CHECK_CLASS
> }
> #endif
> }
> return 0;
> }
>
> > -----Ursprüngliche Nachricht-----
> > Von: Henrik Nordstrom [mailto:hno@hem.passagen.se]
> > Gesendet am: Freitag, 29. Juni 2001 12:12
> > An: Markus.Forrer@coop.ch
> > Cc: squid-users@squid-cache.org
> > Betreff: Re: [squid-users] LDAP Authentification
> >
> > Any special reason to why you need the group LDAP
> > authenticator instead
> > of the normal squid LDAP authenticator?
> >
> > Note: the current nightly snapshots contains a LDAP authenticator that
> > is much easier to configure than previous versions..
> >
> > --
> > Henrik Nordstrom
> > Squid Hacker
> >
> >
> > Markus.Forrer@coop.ch wrote:
> > >
> > > Hi all
> > >
> > > Currently I'm try to authentificate the users of Squid
> > against a LDAP
> > > Server.
> > >
> > > I'm using Squid 2.3 Stable3 and the Patch for LDAP Group
> > Authentification
> > > from www.fatgut.org/squid/group_ldap_auth.
> > >
> > > When I use the auth program on the shell, it works.
> > >
> > > When I try to use the auth program with Squid, I get the
> > following error.
> > >
> > > assertion failed: acl.c:1346 "OK"
> > >
> > > The acl look's like this
> > >
> > > acl ldapuser ldap_auth REQUIRED
> > > http_access allow ldapuser
> > > http_acces deny all
> > >
> > > If I comment out these lines squid working fine, only without
> > > authentification.......
> > >
> > > Someone outhere who use this kind of authentification ???
> > Or is there
> > > another solution around for using LDAP Authentification
> > with groups??
> > >
> > > Regards
> > >
> > > Markus Forrer
> >
Received on Fri Jun 29 2001 - 05:07:31 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:53 MST