Re: [squid-users] ldap auth config quiestion

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 18 Aug 2003 19:08:06 +0200

On Monday 18 August 2003 18.40, Jerry_Harbour@roundrockisd.org wrote:
> Hello all,
> I'm attempting to setup a httpd_accel squid server to allow
> users from the internet to access one of our intranet servers.
> Must have secure access via ssl and the users must authenticate
> their userid and password with our ldap server. I have ssl mode
> reverse proxy working but after having read what I think is every
> ldap post in the archive, I'm still struggling with getting
> squid_ldap_auth to work.
> Squid2.5stable3 freshly compiled on redhat9.
> LotusNotes Domino 5 LDAP server.

If you want authentication in reverse proxy mode you should consider
using Suqid-3.0. A lot easier to configure once you get the
squid_ldap_auth arguments correctly (the squid_ldap_auth arguments
are the same in both Squid versions).

If you are using Squid-2.5 then there is a hidden define you need to
set when compiling Squid to enable authentication in reverse proxy
mode (-DAUTH_ON_ACCEL).

> Should I configure my ldap server for anonymous access in order
> for squid_ldap_auth to work?

Not stricly needed with any LDAP directory I know of. But if your LDAP
directory does not allow anonymous searches then you may need to use
a dummy account for the searches (-D and -W options), and if your
directory does not allow login over untrusted channels then you may
need to use TLS or SSL (-Z or -H ldaps://.. options).

> Otherwise, how should I formulate the
> command for squid_ldap_auth to provide the userid and passwd on the
> ldap bind attempt?

This depends on how you want it to operate.

If your users DN can be direclty derived from the login name without
searching the directory then just specify how squid_ldap_auth should
construct the DN from the login name (-u and -b options).

If not you need to give a search filter (-f and -b options) telling
squid_ldap_auth how to find the users DN based on the login name.

> Or maybe there is another ldap auth module that
> will work with a ldap server that does not allow anonymous access?
> One last question: provided squid_ldap_auth works with the ldap
> server that requires users to log on, will it do secure password
> authentication?

For secure HTTP authentication you need to use https://. See the
https_port directive.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Mon Aug 18 2003 - 11:09:36 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:57 MST