Re: [squid-users] authentication problem with squid_ldap_group from Oliver Hookins on 2005-01-11 (squid-users)

From: Oliver Hookins <ohookins@dont-contact.us>
Date: Wed, 12 Jan 2005 11:06:33 +1100

Joachim JS. Schuster wrote:
> Joachim JS. Schuster wrote:
>
>>Dear squid users,
>>I need help about my authentifaction problem with squid_ldap_group.
>>
>>first i create a entry for squid_ldap_auth. i can login and i have web
>>access and it works fine.
>>
>>auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b
>>"dc=mb,dc=local" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998
>>-f "(&(sAMAccountName=%s)(objectClass=Person))" -h 192.168.3.1 acl
>>USERS proxy_auth REQUIRED
>>
>>http_access allow USERS
>>
>>in the next step i create this lines for my ldap group access.
>>
>>external_acl_type ldapgroup concurrency=15 %LOGIN
>>/usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f
>>"(&(cn=%g)(member=%u))" -F
>>"(&(sAMAccountName=%s)(objectClass=Person))" -D
>>"cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1
>>
>>acl ldapproxygroup external ldapgroup webaccess
>>
>>http_access allow ldapproxygroup
>>
>>i can login but i have no webaccess. i see the 407 error access denied
>>in squid conf.
>>
>>when i execute
>>
>>heins:~ # /usr/sbin/squid_ldap_group -P -R -b
>>"ou=intern,dc=mb,dc=local" -f "(&(cn=%g)(member=%u))" -F
>>"(&(sAMAccountName=%s)(objectClass=Person))" -D
>>"cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1 cwm
>>webaccess OK
>>
>>i get ok but the user cwm can´t use the proxy.
>
>
> Can you quote some of the logs that shows the problem? Is the username
> in the logs exactly as you are typing it on the command line? What I am
> getting at is that it might have the domain name attached to the
> username in which case you need the -S option for squid_ldap_group.
>
> Regards,
> Oliver
>
> Sorry im am new in this list. On wich way i must contact you ?
> By your mail adresse or over a squid-users@squid-cache.org ?
>
> The access.log entries:
> 1105494666.537 0 192.168.5.2 TCP_DENIED/407 2470 GET http://www.google.de/ - NONE/- text/html
> 1105494675.258 24 192.168.5.2 TCP_DENIED/403 2217 GET http://www.google.de/ cwm NONE/- text/html
>
> The username cwm ist correct. I can add more users to the webaccess. I checked all the new users with the comandline below and the test ist ok.
> /usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f "(&(cn=%g)(member=%u))" -F "(&(sAMAccountName=%s)(objectClass=Person))" -D
> "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1
>
> Regards
> Joachim
>

Sorry, my mail program doesn't automatically reply to the list - yes you
should reply to the list unless you want to converse directly with one
of the members.

The only thing I could suggest is trying the -S parameter anyway. I
don't know any really good ways to find out what is happening, unless
you can write a test-program to replace squid_ldap_group that logs what
options and input were passed to it. It either works or it doesn't!

Regards,
Oliver
Received on Tue Jan 11 2005 - 17:06:49 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST