RE: [squid-users] LDAP & Novell

From: John Blance <John.Blance@dont-contact.us>
Date: Thu, 12 Dec 2002 09:11:14 +1300

PS

In squid-2.4.STABLE3 that I currently use the uid attribute is the
default so something like:

./squid_ldap_auth -b "ou=boss,o=Alpha" 10.18.41.12

should work?

John Blance
Technical Architect
Canterbury District Health Board
Direct Dial: 03 3640707
john.blance@cdhb.govt.nz
>>> "John Blance" <John.Blance@cdhb.govt.nz> 12/12/02 08:55 AM >>>
Jay

The LDAP authentication works in to two part process
First it binds anonymously to find the user's DN then it attempts an
authenticated bind using the password supplied.

For this to work in Novell NDS and using the CN the CN attribute must be
visible to the anonymous user [this is PUBLIC if have not setup a
specific ldap proxy user]

Looking at the ldapsearch results below, only UID is visible to
anonymous access.

So either ask the Novell admin to expose the CN to the ldap user
[PUBLIC] or try the authentication via the UID attribute

Hope this make sense

Regards
John

John Blance
Technical Architect
Canterbury District Health Board
Direct Dial: 03 3640707
john.blance@cdhb.govt.nz
>>> "Jay Turner" <jturner@bsis.com.au> 12/11/02 22:07 PM >>>
Hi Henrik

Thanks for the reply.

I tried both the following with no success:

./squid_ldap_auth -b "ou=boss,o=Alpha" -f
'(&(uid=%s)(objectClass=person))'
10.18.41.12
jay password
ERR

./squid_ldap_auth -b "ou=boss,o=Alpha" -u cn 10.18.41.12
jay password
ERR
jayturner password
ERR

Do you have any other suggestions?

Netstat shows that a connection is definitely being made, and ldapsearch
is
still returning details when i query the Netware server via it.
I am 100% certain the username/password are correct because I deleted
and
recreated the user as well as creating a new user with no luck.

Thanks again for your time.

Regards
Jay

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@marasystems.com]
Sent: Wednesday, 11 December 2002 4:29 PM
To: jturner@bsis.com.au; squid-users@squid-cache.org
Subject: Re: [squid-users] LDAP & Novell

First you need to select which attribute to use as login name.

  cn The users full name
  uid Unique login name

If using cn then you can simply use the "-u cn" option to tell
squid_ldap_auth that your users DN is constructed using cn as the
last component.

If using uid, or if you want to support having users in multiple
subtrees then you need to use the search mode
  -f '(&(uid=%s)(objectClass=person))'

Regards
Henrik

On Wednesday 11 December 2002 04.24, Jay Turner wrote:
> Hi All,
>
> Thanks to Henrik I have read the man page regarding
> squid_ldap_auth.
>
> A client has requested their Squid proxy validate usernames against
> their Netware 5.1 server. (LDAP v3 for NDS 8)
> LDAP is obviously the first way to attempt to do this.
>
> My Squid server is RH8.0, 2.4.18-14, Squid2.4-STABLE7,
> openldap-2.0.25-1, nss_ldap-198-3
>
> Unfortunately I know nothing about Netware. An external party has
> set up a development Netware server for me to try and authenticate
> against, the details are:
>
> IP: 10.28.41.12
> tree: NW51TREE
> o: Alpha
> ou: boss
> user (uid?): jay
>
> Can someone please give me a tip as to how I would use this
> information to validate against the netware server via
> squid_ldap_auth?
>
> I have tried the following basic test:
> ./squid_ldap_auth -b "ou=boss,o=Alpha" 10.18.41.12
> jay password
> ERR
>
> Using the following I am able to see all the information on the NDS
> server via ldapsearch
> ldapsearch -x -b 'ou=boss,o=Alpha' '(objectclass=person)' -h
> 10.18.41.12
>
> # jay, boss, Alpha
> dn: cn=jay,ou=boss,o=Alpha
> uid: jay
> sn: turner
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: ndsLoginProperties
> objectClass: top
>
>
> Thanks in advance
> Jay

**********************************************************************
** This email and attachments have been scanned for content and viruses
and is believed to be clean **

This email or attachments may contain confidential or legally
privileged information intended for the sole use of the addressee(s).
Any use, redistribution, disclosure, or reproduction of this message,
except as intended, is prohibited. If you received this email in error,
please notify the sender and remove all copies of the message,
including any attachments. Any views or opinions expressed in this
email (unless otherwise stated) may not represent those of Canterbury
District Health Board
**********************************************************************

**********************************************************************
** This email and attachments have been scanned for content and viruses
and is believed to be clean **

This email or attachments may contain confidential or legally
privileged information intended for the sole use of the addressee(s).
Any use, redistribution, disclosure, or reproduction of this message,
except as intended, is prohibited. If you received this email in error,
please notify the sender and remove all copies of the message,
including any attachments. Any views or opinions expressed in this
email (unless otherwise stated) may not represent those of Canterbury
District Health Board
**********************************************************************
Received on Wed Dec 11 2002 - 13:11:24 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:02 MST