Re: [squid-users] ldap auth & Novell problem

At 13:38 9/11/2002 +1200, you wrote:
>Hello everybody.
>Several months ago I installed squid proxy server for the public school I
>work for. A week ago I was asked to provide the facilites to track users on
>the internet. I installed the squid_ldap_auth module which is authenticating
>users to the NDS (Novell direstory services) LDAP server. It doesnt work as
>great as it promised. Problem is that it works for most users, but not for
>all. After24 hours of operation I recieved about 10 complaints from the
>users that it doesnt work. Basically users enters the credidentials, and
>after couple of seconds it again pops up the login/pass dialog box, and
>after several tries it finally comes up with "acces denied, you must be
>authenticated, etc, etc" message. Some users say that it sometimes work and
>sometimes not. I created temporary account, which works, but several ppl
>here are using it right now (hence i cant really track them). I need the
>authentication to be fool-proof. Please note, that when I run the
>squid_ldap_auth module from the linux command line, it works for everyone,
>so it is definitely not the novell/ldap problem. I strongly suspect it is
>internal squid problem. If i'm unable to provide 100% reliable method then
>I'll need to say goodbye to squid and install Border Manager, or other
>proxy/tracking software. But i would like to stick to squid... I like linux
>so much. Any comments appreciated. Thanks in advance.

If it's for tracking purposes only, you could try using ident. I've just
tested Squid in combination with ident and it works great. It logs the
username for every request. I've used this with an ident client that was
adapted to use the Novell login name. You can it at
http://sourceforge.net/projects/winidentd

Using ident acl's you can grant/deny access based on the CN that was returned.

If you want a more foolproof approach (ident can easily be hacked) you can
also try Novell Authentication Services. It requires a bit more work to
setup, but also works great. It also asks for the users credentials but
checks them against the NDS. If you need more info, just ask. But I haven't
used it in our production environment, because the users often have to
supply their credentials. Bordermanager does that in the background with
its Client Trust (clntrust.exe) program.

If someone could develop that for Squid/windows that would fantastic. Then
Squid would be a total replacemnt for Bordermanager. Unfortunately my
programming skills aren't that good (yet).

Gerben.
Received on Wed Sep 11 2002 - 02:04:33 MDT