Re: [squid-users] Squid 2.5 w/ LDAP

Martin and other on the list,

I am new to squid and ldap. I have it compiled with ldap but having
trouble making the query work. I found 2 binaries ....
 - /usr/local/squid/bin/squid_auth_ldap and
- /usr/lib/squid/squid_ldap_auth

And with both I have tried several different queries but none have
worked ..here are few examples of my queries

./squid_auth_ldap -S ldapsrv1 -s o=mitre.org -U uid=jkamdar
./squid_auth_ldap -S ldapsrv1.mitre.org -s o=mitre.org uid=jkamdar
./squid_auth_ldap -S ldapsrv1.mitre.org -p 389 -s o=mitre.org -U jkamdar

OR
./usr/lib/squid/squid_ldap_auth -h ldapsrv1 -b o=mitre.org uid=jkamdar
./usr/lib/squid/squid_ldap_auth -h ldapsrv1 -b o=mitre.org -f
uid=jkamdar -p 389

but none seems to work.

Any idea, which one I should use and what's the correct syntex? I have
looked at man page but the example doesn't help.

Thanks in advance.

Please let me know,
Jayesh

Martin Richard wrote:

>Hi Steve,
>
> I've just finished installing squid with auth on a eDirectory LDAP
>(Novel 5.11) and after some headaches here's what worked
>
> 1. run configure with --enable-basic-auth-helpers=LDAP
>
> This will compile and install the ldap helper programs
>
> 2. test the process from the command line, from your squid
>installation's /libexec directory:
>
> ./squid_auth_ldap \
> -H ldap://YourEDirServerHere \
> -D "cn=validuser,ou=hisOU,O=hisOrg" \
> -w passwordfortheuser \
> -b "ou=something,O=something" \
> -s sub \
> -v 3 \
> -f "(&(&(objectClass=person)(cn=%s)) \
> (groupMembership=cn=SquidUsers,ou=groupsOU,O=groupsOrg))"
>
> Here's what all of this does:
>
> -H indicates your ldap server in URI format
> -D is a user's full DN who can connect to the tree. I created a
>SquidSrv user for this here.
> -w is that users password
> -b is the highest point in your tree where you want to start
>searching (ie you can limit to an OU instead of searching the WHOLE
>tree each time)
> -s sub allows to search the subtree starting at the -b point
> -v 3 is for LDAP version 3
> -f is the LDAP search filter. This perticular one search for a
>person object with the specified username (the %s) and member of the
>SquidUsers group (group I created for allowing net access here)
>
> When you run that, you'll get a waiting cursor.. the program waits
>for input from STDIN.. to test simply enter a username and a password
>to test for authentication.. you'll get OK if the username is valid
>and the password good, or ERR if anything failed. CTRL-D will end the
>session..
>
> GOTCHA: by default, eDirectory won't accept cleartext passwords. You
>have to use ldadps:// to use the SSL port or use the -Z switch to use
>TLS over the normal TCP port.. I didnt want to figure out what was
>wrong with my ssl certificate, so I just configure the ldap server to
>accept cleartext password from Console One.. that's one fight I'm
>keeping for a less busy moment :)
>
> 3. when everyting is working, put the command you used in your squid
>config **all on one line**..
>
> auth_param basic program /path/to/libexec/squid_auth_ldap -etcetcetc
>
> And use it in an ACL
>
> acl Verified proxy_auth REQUIRED
>
> And allow the traffic on that ACL
>
> http_access allow Verified all
> http_access deny all
>
> The 2nd line is to restrict anyone who couldn't be auth'd.. adjust
>according to your own acl's and policies..
>
> Hope this helps !
>
> Martin
>
>On Thu, 17 Mar 2005 16:33:13 +1100, Steven Adams <steve@drifthost.com> wrote:
>
>
>>Hi,
>>
>>I would like to get LDAP auth working with Squid over my EDIR Tree.
>>
>>I would like to to auth based on what group the user is in and then have
>>an acl from there.
>>
>>Can anyone point me in the right direction, maybe docs or something to
>>get this working, i have read on the auth_ldap_users (i think it is) but
>>was no really able to find much good doco on how to do it with groups.
>>
>>Thanks!
>>Steve
>>
>>
>>
Received on Thu Mar 17 2005 - 12:28:33 MST