On Mon, 19 Sep 2005, nattapon viroonsri wrote:
> When i integrate squid_ldap_auth with squid by put following entry in
> /etc/squid/squid.conf like this
> auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -Z -b
> "o=mycompany" -D "cn=manager,o=mycompany " -w "secret" -f "cn=%s"
> rhel4.example.com
> user cannot authenticate correctly
>
> But When i issue ldapsearch with starttls or squid_ldap_auth , both can
> authenticate successful
> su - squid
> ldapsearch -x -ZZ -D cn=user1 -w password
> echo "user1 password " | /usr/lib/squid/squid_ldap_auth -Z -v 3 -D
> cn=manager,o=mycompany -w secret -b o=mycompany -f 'cn=%s' rhel4.example.com
Odd.. the above two is identical from what I can see..
is there any warnings in cache.log?
> From ldapsearch , squid_ldap_auth command line , both can authenticate
> correctly but after i integrate squid_ldap_auth into squid it look like
> squid dont look into /var/spool/squid/ldaprc to send client certificate
There is not supposed to be any difference running squid_ldap_auth
manually as your cache_effective_user or as a daemon by Squid.
> So, There have any way to tell squid to send client certificate to ldap
> server ?
From what I can see what you have done should work.
It may be possible to enhance squid_ldap_auth allowing to specify the
client certificate to use excplicitly on the command line but I am not
entirely sure how this is done in the OpenLDAP API. I suppose it is done
using LDAP_OPT_X_TLS_CERTFILE/KEYFILE, but these aspects of the OpenLDAP
API is very poorly documented.
Patches are welcome if you figure out how.
Regards
Henrik
Received on Tue Sep 20 2005 - 06:01:41 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT