Re: [squid-users] LDAP, Squid, and ssl

Looking good, apparently a lot simpler than I expected. But I am missing
one quite important thing:

-ZZ to require successful TLS certificate validation.

(and the TLS option should be capital -Z to match OpenLDAP tools)

TLS/SSL is about two things

a) Encryption

b) Authenticity

Having TLS enabled guarantees 'a'. Having it also require that the
servers certificate is valid "guarantees" 'b' by the certification
process imposed by CA authorities. Without 'b' A hacker who has network
access (required for sniffing in the first place) can theoretically fool
the client into connecting to the wrong TLS LDAP server and thereby
reveal the passwords to the attacker. However, if using self-signed
certificates then certificate validation is not possible and is why the
user must be able to select between only TLS encryption or both
encryption any authenticity verification.

Another minor cosmetic thing: The OpenLDAP flag for protocol version is
-P, not -v.

Hmm.. already using -P for persistent in the current version.. (-p is
now port). Looks like I need to find another option character for
persistent.

Regards
Henrik

Michael Cunningham wrote:
>
> Folks,
>
> With a lot of pain I was able to create this
> patch to squid_ldap_auth.c that adds in TLS support.
> It works well buts its ugly:) Havent coded C in years..
> Feel free to clean it up and include it in the next
> release if you want. Should probably include plain old
> ssl support as well but I dont need to at the moment.
>
> Thanks.. Mike Cunningham
>
> ###########################################################
>
> *** squid_ldap_auth.c.orig Wed Dec 12 16:38:23 2001
> --- squid_ldap_auth.c Wed Dec 12 20:08:53 2001
> ***************
> *** 11,20 ****
> *
> * Usage: squid_ldap_auth -b basedn [-s searchscope]
> * [-f searchfilter] [-D binddn -w bindpasswd]
> ! * [-u attr] [-p] [-R] <ldap_server_name>
> *
> * Dependencies: You need to get the OpenLDAP libraries
> ! * from http://www.openldap.org
> *
> * License: squid_ldap_auth is free software; you can redistribute it
> * and/or modify it under the terms of the GNU General Public License
> --- 11,23 ----
> *
> * Usage: squid_ldap_auth -b basedn [-s searchscope]
> * [-f searchfilter] [-D binddn -w bindpasswd]
> ! * [-u attr] [-p] [-R] [-v] [-z] <ldap_server_name>
> *
> * Dependencies: You need to get the OpenLDAP libraries
> ! * from http://www.openldap.org,
> ! *
> ! * If you want to make a TLS enabled
> ! * connection you will also need the openssl libraries linked into openldap
> *
> * License: squid_ldap_auth is free software; you can redistribute it
> * and/or modify it under the terms of the GNU General Public License
> ***************
> *** 22,27 ****
> --- 25,32 ----
> * or (at your option) any later version.
> *
> * Changes:
> + * 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
> + - Added TLS support and partial ldap version 3 support.
> * 2001-10-04: Henrik Nordstrom <hno@squid-cache.org>
> * - Be consistent with the other helpers in how
> * spaces are managed. If there is space characters
> ***************
> *** 62,67 ****
> --- 67,76 ----
> static int noreferrals = 0;
> static int aliasderef = LDAP_DEREF_NEVER;
>
> + /* Added for TLS support and version 3 */
> + static int use_tls = 0;
> + static int version = -1;
> +
> static int checkLDAP(LDAP * ld, char *userid, char *password);
>
> /* Yuck.. we need to glue to different versions of the API */
> ***************
> *** 117,122 ****
> --- 126,132 ----
> switch(option) {
> case 'p':
> case 'R':
> + case 'z':
> break;
> default:
> if (strlen(argv[1]) > 2) {
> ***************
> *** 175,183 ****
> --- 185,215 ----
> case 'p':
> persistent = !persistent;
> break;
> + case 'v':
> + switch( atoi(value) ) {
> + case 2:
> + version = LDAP_VERSION2;
> + break;
> + case 3:
> + version = LDAP_VERSION3;
> + break;
> + default:
> + fprintf( stderr, "Protocol version should be 2 or 3\n");
> + exit(1);
> + } break;
> +
> case 'R':
> noreferrals = !noreferrals;
> break;
> + case 'z':
> + if ( version == LDAP_VERSION2 ) {
> + fprintf( stderr, "-z incompatible with version %d\n",
> + version );
> + exit(1);
> + }
> + version = LDAP_VERSION3;
> + use_tls = !use_tls;
> + break;
> default:
> fprintf(stderr, "squid_ldap_auth: ERROR: Unknown command line option '%c'\n", option);
> exit(1);
> ***************
> *** 193,199 ****
> --- 225,233 ----
> fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
> fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
> fprintf(stderr, "\t-p\t\t\tpersistent LDAP connection\n");
> + fprintf(stderr, "\t-v\t\t\tProtocol version - defaults to 2\n");
> fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
> + fprintf(stderr, "\t-z\t\t\tUse TLS for the LDAP connection - requires protocol ver 3\n");
> fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
> fprintf(stderr, "\n");
> fprintf(stderr, "\tIf no search filter is specified, then the dn <userattr>=user,basedn\n\twill be used (same as specifying a search filter of '<userattr>=',\n\tbut quicker as as there is no need to search for the user DN)\n\n");
> ***************
> *** 218,223 ****
> --- 252,275 ----
> ldapServer, LDAP_PORT);
> exit(1);
> }
> +
> + if (version == -1 ) {
> + version = LDAP_VERSION2;
> + }
> +
> + if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version )
> + != LDAP_OPT_SUCCESS )
> + {
> + fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
> + version );
> + exit(1);
> + }
> +
> + if ( use_tls && ( version == LDAP_VERSION3 ) && ( ldap_start_tls_s( ld, NULL, NULL ) == LDAP_SUCCESS )) {
> + fprintf( stderr, "Could not Activate TLS connection\n");
> + exit(1);
> + }
> +
> squid_ldap_set_referrals(ld, !noreferrals);
> squid_ldap_set_aliasderef(ld, aliasderef);
> }
Received on Thu Dec 13 2001 - 15:57:02 MST