Re: [squid-users] Configuring authentication with ldap_auth and two domains?

From: Matthias Dettling <m-dettling@dont-contact.us>
Date: Mon, 11 Apr 2005 12:03:33 +0200

D & E Radel schrieb:
> Matthias Dettling" wrote:
>
>>grolschie wrote:
>>
>>>Repost, as the first never came through at my
>
> end.
>
>>>Sorry if it's a dupe.
>>>
>>>---
>>>Hi y'all.
>>>
>>>I have searched through the docs, and cannot
>
> find
>
>>>alot on ldap_auth. I use Squid + LDAP instead
>
> of
>
>>>SMB to authenticate against our 2003 Server.
>
> The
>
>>>problem is that we have two domains that I
>
> wish to
>
>>>authenticate against. Is it possible to do
>
> this
>
>>>with Squid and LDAP?
>>>
>>>Here is my current method:
>>>
>>>##################
>>>auth_param basic program
>>>/usr/lib/squid/ldap_auth -R -b
>>>"dc=my,dc=domain,dc=org" -D
>>>
>
> "cn=Administrator,cn=Users,dc=my,dc=domain,dc=org"
>
>>> -w "mypassword" -f sAMAccountName=%s -h
>>>192.168.1.1
>>>
>>>auth_param basic children 5
>>>auth_param basic realm Our Proxy
>>>auth_param basic credentialsttl 5 hours
>>>
>>>acl localnet proxy_auth REQUIRED src
>>>192.168.1.0/24 192.168.100.0/24
>>>
>>>http_access allow localnet
>>>http_access allow localhost
>>>http_access deny all
>>>###################
>>>
>>>Is it possible to add another sub-domain into
>
> this
>
>>>equation to authenticate against? Our two
>
> domains
>
>>>are on the two networks listed above in
>
> localnet
>
>>>ACL, although our sub-domains DC has an IP
>
> address
>
>>>on both networks. I am not sure how to specify
>
> two
>
>>>domains and two domain controller IP's in the
>>>above.
>>>
>>>Sorry if this is a n00b question. I am kinda
>
> stuck
>
>>>and you seem to know alot about this field.
>
> And
>
>>>tips, greatly received. Thanks in advance.
>>>
>>>regards,
>>>grolschie
>>>
>>>
>>>
>>
>>Hello grolschie,
>>
>>there are sure better solutions, but my one
>
> works too.
>
>>Instead of writing
>>"auth_param basic program
>
> /usr/lib/squid/ldap_auth ..."
>
>>you can use a shell script like that
>>auth_param basic program /shell/script.
>>
>>The only thing your script should do is write
>
> out "OK" or "ERR" to
>
>>stdout dependant on the result of your
>
> evaluation with
>
>>/usr/lib/squid/ldap_auth.
>>Tutorials on writing shell scripts can be found
>
> much on the net.
>
>>I hope this helps.
>>
>>Regards
>>Matthias
>
>
> Thanks for that I will have a google for shell
> script writing tutorials. How are variables like
> %s etc passed through/from to the shell script
> though? Or does that not need to happen?
>
> regards,
> D.Radel (aka grolschie)
>
> P.S. I am told that my post was received by the
> group 4 times. Sorry about that. Must've been a
> gmail glitch is only the last email arrived in my
> inbox via the list - using my ISPs account.
>
>
Hello grolschie,

as I know %s isn't a variable that is passed to
/usr/lib/squid/ldap_auth, instead it is a variable from that program,
which tells it, that %s must be replaced with the username.
By the way parameters of a shell script can be found in $1, $2, ...

The name, password pair is passed to the script by the auth_param basic
program command. What you have to do is reading from stdin and pass it
to all of your /usr/lib/squid/ldap_auth commands in the script and then
evaluate the result.

Reading from stdin, can be done by something like this:
--------------------
#!/bin/sh

# reading stdin
INP=`cat`

# pass stdin to /usr/lib/squid/ldap_auth
DOM1=`echo $INP | /usr/lib/squid/ldap_auth ...`
DOM2=`echo $INP | /usr/lib/squid/ldap_auth ...`
...
--------------------

Now the only thing you have to do is evaluate DOM1, DOM2, ... if one of
it equals to "OK". And depending on this execute echo "OK" or echo "ERR".

I hope this helps.

Regards
Matthias
Received on Mon Apr 11 2005 - 04:03:20 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:03 MDT