Re: [squid-users] Authenticate through LDAP against Active Directory. Windows 2000.

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 23 May 2003 15:47:43 +0200

On Friday 23 May 2003 09.38, Steven Sporen wrote:

> Couple of quick questions I've got.
> - Did you change any permission on AD to allow access?

No.

> - Could you possible post a snippet on config code you used to
> query the AD?

There is one in the manual..

> - Am I right in assuming that it will just verify the user is a
> member of a group and not actually test the password of the
> account?

Right, this is what squid_ldap_auth does.

To check for group memberships you combine both squid_ldap_auth and
squid_ldap_group.

> - Is it better to use NTLM or LDAP?
> My biggest problem has been that there is no logging on the
> squid_LDAP_Auth so it's difficult to see why I'm not getting
> results.

squid_ldap_auth only says something if there is an error. Usual cause
when it does not work and only gives ERR even if the correct password
is given is that the wrong filter is specified or that the user it is
binding as does not have search privileges in the directory. Test
your filter with ldapserach, and when you have found a good filter
which finds the requested user then give this to squid_ldap_auth.
Note: If you have to specify a bind user to ldapserach to find the
users then you must do the same to squid_ldap_auth and
squid_ldap_group.

squid_ldap_group is a little more verbose if you use the undocumented
-d flag (for debug), but to be honest there is not very much
diagnostics the helpers can give. Either the requested data is found
in the directory or not. If not found with the given search criterias
it is very hard for the helpers to tell why it is not found.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Fri May 23 2003 - 08:26:15 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:55 MST