[squid-users] LDAP Authentication to Edirectory from Theo Schroeder on 2004-05-19 (squid-users)

From: Theo Schroeder <T.Schroeder@dont-contact.us>
Date: Wed, 19 May 2004 10:05:54 +0200

Hi,

we want to authenticate our SQUID 2. S5 against to our Edirectory.

With one Group in Ldap this is not a problem, we only use the
squid_ldap_auth helper, and with this
squid.conf this works fine:

>auth_param basic program /usr/libexec/squid_ldap_auth -b o=SB -f
"(&(&(cn=%s)(objectClass=Person))(groupMembership=cn=squid-internet,ou=zentrale,o=SB))"
-D cn=ldapuser,ou=zentrale,o=SB -w foo -s sub 149.0.1.5:389

>acl ldap proxy_auth REQUIRED

>http_access allow ldap

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

The problem is to use more LDAP Groups, I try the following squid.conf
with the squid_ldap_group helper:

>auth_param basic program /usr/libexec/squid_ldap_auth -b o=sb -s sub
149.0.1.5:389

>acl ldapauth proxy_auth REQUIRED

>external_acl_type ldap %LOGIN /usr/libexec/squid_ldap_group -u cn -b
"ou=zentrale,o=SB" -B "ou=orgdv,ou=verwaltung,ou=zentrale,o=SB" -F
"cn=%s"
-f"(&(&(objectClass=person)(cn=%u))(groupMembership=cn=%g,ou=zentrale,o=sb))"
-D "cn=ldapuser,ou=zentrale,o=sb" -w foo -s sub -h 149.0.1.5 -p 389

>acl sbsecureinternet external ldap squid-internet

>http_access allow sbsecureinternet

If I try to login in the browser the LDAP Trace form Edirectory display
the following output:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
9:20:55
Bind name:uid=schroedt,o=orgdv,ou=verwaltung,ou=zentrale,o=sb,
version:2, authen
tication:simple
Failed to resolve full context on connection 0x902dc3c0, err = no such
entry (-6
01)
Failed to authenticate full context on connection 0x902dc3c0, err = no
such entr
y (-601)
Sending operation result 32:"":"NDS error: no such entry (-601)" to
connection 0
x902dc3c0
DoUnbind on connection 0x902dc3c0
Connection 0x902dc3c0 closed
New cleartext connection 0x902dc3c0 from 192.168.249.1:33997, monitor =
0x699, i
ndex = 1
DoBind on connection 0x902dc3c0
Bind name:uid=schroedt,o=orgdv,ou=verwaltung,ou=zentrale,o=sb,
version:2, authen
tication:simple
Failed to resolve full context on connection 0x902dc3c0, err = no such
entry (-6
01)
9:20:55
Failed to authenticate full context on connection 0x902dc3c0, err = no
such entr
y (-601)
Sending operation result 32:"":"NDS error: no such entry (-601)" to
connection 0
x902dc3c0
DoUnbind on connection 0x902dc3c0
Connection 0x902dc3c0 closed
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Look for the Bind name, why the use the login name, and not the
Bindname in the squid_ldap_group parameter ?

BUT WHEN I Do THIS ON THE CONSOLE PROMPT:

./squid_ldap_group -b ou=zentrale,o=SB -f
"(&(&(objectClass=person)(cn=%u))(groupMembership=cn=%g,ou=zentrale,o=sb))"
-D cn=ldapuser,ou=zentrale,o=SB -w foo -s sub -h 149.0.1.5 -p 389

Then I write my user and Group-Name
schroedt squid-internet

THATS OK !!!

For this the LDAP Trace Output !
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
DoBind on connection 0x902dc3c0
Bind name:cn=ldapuser,ou=zentrale,o=SB, version:2,
authentication:simple
Sending operation result 0:"":"" to connection 0x902dc3c0
DoSearch on connection 0x902dc3c0
Search request:
        base: "ou=zentrale,o=SB"
        scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:1
        filter:
"(&(&(objectClass=person)(cn=schroedt))(groupMembership=cn=squid
-internet,ou=zentrale,o=sb))"
        no attributes
Empty attribute list implies all user attributes
Sending search result entry
"cn=Schroedt,ou=ORGDV,ou=Verwaltung,ou=Zentrale,o=SB
" to connection 0x902dc3c0
Sending operation result 0:"":"" to connection 0x902dc3c0
9:30:09
DoUnbind on connection 0x902dc3c0
Connection 0x902dc3c0 closed
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Look here for the Bind name, here it use the -D Parameter

PLEASE HELP ME!!!

thanks
theo

------------------------------------------------------------------------
Der Austausch von Nachrichten mit SCHMOLZ + BICKENBACH via E-Mail
dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche
Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
Verfaelschungen des urspruenglichen Inhaltes dieser Nachricht bei der
Datenuebertragung koennen nicht ausgeschlossen werden.

Correspondence with SCHMOLZ + BICKENBACH via e-mail is only for
information purposes. This medium is not to be used for the exchange of
legally-binding communications. The falsification of the original
content of this message in the course of data transmission cannot
be excluded.
------------------------------------------------------------------------
Received on Wed May 19 2004 - 02:06:26 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Jun 01 2004 - 12:00:01 MDT