Re: [squid-users] Helpers and TLS over LDAP

Then I have noticed a very strange issue about the helper.

I am using Squid 2.5STABLE4 on Linux RedHat 9.0 without patches (I know
there is a patch about squid_ldap_group but the problem I have experienced
is about squid_ldap_auth).

I have compiled Squid enabling all the helpers for testing purposes.

My LDAP server is OpenLDAP 2.0.27-8 installed from RedHat 9.0 RPMs files.

I run the LDAP server in debug mode from command line as follows (everything
seems to be OK about TLS configuration):

slapd -d 1 -h "ldap:/// ldaps:///"

When I issue the command:

/usr/bin/ldapsearch -x -b 'ou=People,dc=tesi,dc=edu' -s sub
'(uis=<myusername>)' -D "cn=BindUser,ou=People,dc=tesi,dc=edu" -W -ZZ -h
myldap.test.edu

everything works fine (also with -Z instead of -ZZ it works of course): the
server asks for password, the authentication works and the communication is
encrypted.

Moreover if I use the helper from command line as follows:

 /usr/local/squid/libexec/squid_ldap_auth -b ou=People,dc=tesi,dc=edu -f
"uid=%s" -s sub -D "cn=BindUser,ou=People,dc=tesi,dc=edu" -w
<binduserpassword> -h myldap.test.edu

and I write a username and the correct password I get OK from the helper,
that is to say it is working fine in plain text (of course I get ERR from
wrong username and/or password).
Now, if I simply add -Z to the former line:

 /usr/local/squid/libexec/squid_ldap_auth -b ou=People,dc=tesi,dc=edu -f
"uid=%s" -s sub -D "cn=BindUser,ou=People,dc=tesi,dc=edu" -w
<binduserpassword> -Z -h myldap.test.edu

and I try and verify user credentials I get the error:

    Could not Activate TLS connection

Is this a bug? Or maybe am I missing something in Squid or OpenLDAP?

The output from OpenLDAP debug mode is as follows:

##not working bind with squid_ldap_auth and -Z

connection_get(8): got connid=1
connection_read(8): checking for input on id=1
ber_get_next
ber_get_next on fd 8 failed errno=0 (Success) <- this should
be the clue
connection_read(8): input error=-2 id=1, closing.
connection_closing: readying conn=1 sd=8 for close
connection_close: conn=1 sd=8
TLS trace: SSL3 alert write:warning:close notify

########################################################
#######################################################

#working bind with ldapsearch -ZZ

connection_get(8): got connid=2
connection_read(8): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 62 contents: <- This works
ber_get_next
ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({iat) ber:
ber_scanf fmt (o}) ber:
do_bind: version=3 dn="cn=BindUser,ou=People,dc=tesi,dc=edu" method=128
....

I have omitted the beginning of the communication which is the same for both
cases.

Thank you in advance.

Antonio Manfreda

----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Antonio Manfreda" <antonio.manfreda1@fastwebnet.it>
Cc: <squid-users@squid-cache.org>
Sent: Sunday, January 04, 2004 12:20 AM
Subject: Re: [squid-users] Helpers and TLS over LDAP

> On Sat, 3 Jan 2004, Antonio Manfreda wrote:
>
> > When using the -Z option do I need a client certificate for connection
between
> > the helper and the LDAP server, or the -Z option is the same as for
ldapsearch?
>
> It is as for ldapsearch.
>
> The client (the helper) requires the LDAP server to sort of authenticate
> itself, and the communication is encrypted. However, please note however
> that the helpers does not pay very much attention to the validity of the
> server certificate.
>
> Regards
> Henrik
>
Received on Sun Jan 04 2004 - 07:01:10 MST