[squid-users] LDAP Authentication woes

From: Peter Cheney <pcheney@dont-contact.us>
Date: Wed, 08 Aug 2001 12:04:20 +1000 (EST)

Hi All,
Sorry to trouble you all but after having searched the squid archive I have found a couple of postings that are close but not quite. Have need of assistance with 1) getting group_ldap_auth to work 100% on command line and 2) setting acl's properly in squid.conf. System is RHL7.1 with Squid-2.3stable3, openldap-2.0.11, and fatgut's group_ldap_auth patch.

1) All compiles and installs OK. Can ldapsearch for anything with 100% success however, can only get group_auth_ldap to authenticate uids only and not groups from command line ie if typing "userid password 0" it works but typing "userid password 1 s #groupname#" then it fails.
eg (tuser is a valid LDAP uid and is a member of testgroup)
$./group_ldap_auth o=isp ldap.thiess.com.au
tuser secret 0
p
tuser secret 1 s #testgroup#
f
$

Have even tried narrowing the search base to include ou=groups,o=domain.com.au,o=isp but this just causes everything to fail.

2) Even with group_ldap_auth not working 100% shouldn't I still be able to cause squid to prompt for authentication in my browser? This doesn't appear to be happening and I am at a loss as to what to include in the acl and http_access lines to make it work. Here is what I have at the moment in squid.conf:

ldap_auth_program /usr/local/squid/bin/group_ldap_auth o=isp ldap.thiess.com.au
acl all src 0.0.0.0/0.0.0.0
acl LAN src 10.0.0.0/255.0.0.0
acl password proxy_auth REQUIRED
acl users_acl ldap_auth tuser
http_access allow password
http_access allow users_acl
http_access allow LAN
http_access deny all
icp_access allow LAN
icp_access deny all

When I start squid on console with command ./squid -NCd9 and point my browser at it, it aborts with following error:

2001/08/08 11:58:51| Finished rebuilding storage from disk.
2001/08/08 11:58:51| 0 Entries scanned
2001/08/08 11:58:51| 0 Invalid entries.
2001/08/08 11:58:51| 0 With invalid flags.
2001/08/08 11:58:51| 0 Objects loaded.
2001/08/08 11:58:51| 0 Objects expired.
2001/08/08 11:58:51| 0 Objects cancelled.
2001/08/08 11:58:51| 0 Duplicate URLs purged.
2001/08/08 11:58:51| 0 Swapfile clashes avoided.
2001/08/08 11:58:51| Took 15.3 seconds ( 0.0 objects/sec).
2001/08/08 11:58:51| Beginning Validation Procedure
2001/08/08 11:58:51| Completed Validation Procedure
2001/08/08 11:58:51| Validated 0 Entries
2001/08/08 11:58:51| store_swap_size = 21k
2001/08/08 11:58:53| storeLateRelease: released 0 objects
2001/08/08 11:59:36| assertion failed: acl.c:1346: "ok"
Aborted

I know I must be missing something and would really appreciate it if someone could provide me with an answer to 1) and perhaps a sample squid.conf for 2)

Thanks heaps

-- 
Peter Cheney                         P: +61 (7) 3002 9814
System Administrator                 F: +61 (7) 3002 9829
Thiess Pty Ltd                       M: +61 (4) 0818 6290
'We are not human beings having a spiritual experience. We are spiritual beings having a human experience.'
******************
IMPORTANT - This email and any attachments may be confidential and privileged. If received in error, please contact Thiess and delete all copies. You may not rely on advice and documents received by email unless confirmed by a signed Thiess letter. Before opening or using attachments, check them for viruses and defects. Thiess' liability is limited to resupplying any affected attachments.
******************
Received on Tue Aug 07 2001 - 20:09:27 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:30 MST