Re: [squid-users] Configuring authentication with ldap_auth and two domains?

From: Matthias Dettling <m-dettling@dont-contact.us>
Date: Wed, 13 Apr 2005 19:04:09 +0200

D & E Radel schrieb:
>
> Matthias Dettling wrote:
>
>>>
>>>>Hello grolschie,
>>>>
>>>>as I know %s isn't a variable that is passed
>
> to
>
>>>>/usr/lib/squid/ldap_auth, instead it is a
>>>
>>>variable from that program,
>>>
>>>
>>>>which tells it, that %s must be replaced with
>>>
>>>the username.
>>>
>>>
>>>>By the way parameters of a shell script can be
>>>
>>>found in $1, $2, ...
>>>
>>>
>>>>The name, password pair is passed to the
>
> script
>
>>>by the auth_param basic
>>>
>>>
>>>>program command. What you have to do is
>
> reading
>
>>>from stdin and pass it
>>>
>>>
>>>>to all of your /usr/lib/squid/ldap_auth
>
> commands
>
>>>in the script and then
>>>
>>>
>>>>evaluate the result.
>>>>
>>>>Reading from stdin, can be done by something
>>>
>>>like this:
>>>
>>>
>>>>--------------------
>>>>#!/bin/sh
>>>>
>>>># reading stdin
>>>>INP=`cat`
>>>>
>>>># pass stdin to /usr/lib/squid/ldap_auth
>>>>DOM1=`echo $INP | /usr/lib/squid/ldap_auth
>
> ...`
>
>>>>DOM2=`echo $INP | /usr/lib/squid/ldap_auth
>
> ...`
>
>>>>...
>>>>--------------------
>>>>
>>>>Now the only thing you have to do is evaluate
>>>
>>>DOM1, DOM2, ... if one of
>>>
>>>
>>>>it equals to "OK". And depending on this
>
> execute
>
>>>echo "OK" or echo "ERR".
>>>
>>>
>>>>I hope this helps.
>>>>
>>>>Regards
>>>>Matthias
>>>
>>>
>>>Wow! Thanks big time Matthias! :-)
>>>
>>>So the evaluation should be something like
>
> this?
>
>>> if [$DOM1="OK"]; then
>>> echo "OK"
>>> elif [$DOM2="OK"]; then
>>> echi "OK"
>>> else
>>> echo "ERR"
>>> fi
>>>
>>>I would never had got that " INP=`cat`" and
>
> "echo
>
>>>$INP" stuff. I would've feebly attempted
>
> something
>
>>>like this:
>>> DOM1=`/usr/lib/squid/ldap_auth ...`
>>> DOM2=`/usr/lib/squid/ldap_auth ...`
>>>
>>>...followed by the above evaluation.
>>>
>>>Thanks alot for your help. I shall give this a
>>>blast tomorrow when I am in front of the box.
>>>
>>>Kind regards,
>>>grolschie
>>>
>>>
>>
>>Hello grolschie,
>>
>>yes, that's it, what I meant.
>>But note that there is a little typo.
>>Instead of echi you should of course write echo.
>>Then it should work.
>>Please tell me about the result of your attempt.
>>
>>Regards
>>Matthias
>
>
> Hi Matthias (and anyone else reading this)
>
> I have tried the solution and cannot get it
> working. I replaced this line:
> auth_param basic program
> /usr/lib/squid/ldap_auth ......
> with reference to my script:
> "auth_param basic program
> /etc/squid/multi_domains.sh"
>
> The /etc/squid/multi_domains.sh was chmod 777'ed
> and contains:
>
> #!/bin/sh
>
> # Reading stdin from Squid
> INP=`cat`
>
> # Pass stdin to /usr/lib/squid/ldap_auth
> DOMAIN1=`echo $INP |
> /usr/lib/squid/ldap_auth -R
> -b "dc=......"
> -D
> "cn=Administrator,cn=Users,dc=..........."
> -w "........." -f sAMAccountName=%s -h
> 192.168.1.1`
>
> # Just spit out the result for now
> echo $DOMAIN1
>
> Note that this was just a test to make sure the
> first part worked before querying two domains and
> evaluating. The result was that I received the
> authentication prompt in my browser. If I got the
> password wrong it would ask upto 2 more times then
> access denied, but if I got it correct the browser
> would just hang then time-out.
>
> Something weird is going on, because if I add the
> following command to the beginning, it gets
> ignored when ldap_auth calls it:
> echo "hello" >/etc/squid/tmp.txt
>
> Or is that just a permissions issue? If I run the
> script from console, it writes the tmp.txt file.
>
> The fact that authentication fails on bad password
> and hangs on ok password tells me that the LDAP
> part is working. However, the passing of the
> stdout back to Squid does not seem to be working.
> The weird thing is that Squid knows when I get the
> password wrong 3 times.
>
> Regards,
> Dietrich (aka grolschie)
>
>
Hello grolschie,

I'm very sorry, that it doesn't work at first go.
I didn't understand, where you added this line:
echo "hello" >/etc/squid/tmp.txt
but I advise you first to test the username password pair on the command
line before you do that with squid and a browser.
This is very easy.
Type the following on the shell:
   echo "username password" | /usr/lib/squid/ldap_auth ...
If you get an OK or an ERR this works at least.
If it works then type in this:
   echo "username password" | /etc/squid/multi_domains.sh
There you should get the same result as before.

At the moment I don't have the possibility to test the script in a
working environment, but at the weekend I will do so.

Regards,
Matthias
Received on Wed Apr 13 2005 - 11:03:59 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:03 MDT