[squid-users] SOS with squid_ldap_auth !!

At last I got squid_ldap_auth with squid_ldap_group to authenticate and
authorize against the MSAD.
Thanks a lot for tips.

What I ultimately would like to have is a situation when it only takes
to match the group membership to get access to the Internet, and NO
authentication is required. The userId accessing the Internet should be
still recorded in the access.log

Any suggestions on this?

Thank you very much!

-----Original Message-----
From: Meyerovich Aleksandr EB_NY
Sent: Tuesday, January 17, 2006 5:20 PM
To: 'squid-users@squid-cache.org'
Subject: FW: SOS with squid_ldap_auth !!
Importance: High

One more question!!

If there's no option to tell the "configure" under squid where openldap
is installed where then openldap should be installed so that squid can
find it?

Which options openldap should be built with to support native AD domain
(no NTLM) with Kerberos bind?

Any help greatly appreciated!!

-----Original Message-----
From: Meyerovich Aleksandr EB_NY
Sent: Tuesday, January 17, 2006 3:14 PM
To: 'squid-users@squid-cache.org'
Subject: SOS with squid_ldap_auth !!

What would be the right openldap version for the following combination:

RedHat 8.0 (2.4.18-14) and Squid 2.5.STABLE4-20031110. When compiling
Squid with enable ....ldap.... options how to specify an alternate
openldap location.

Do squid_ldap_auth and squid_ldap_group support Kerberos bind? How to
make Kreberos bind?

Ldapsearch with this parameters returns what I need:

./ldapsearch -b "dc=my,dc=domain" -D "user@my.domain" -w "password"
"sAMAccountName=SomeGroupName" -h server.

Squid_ldap_auth with the same options/filters returns ERR.

Thanks a lot,
Alex

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Friday, January 13, 2006 6:14 PM
To: Meyerovich Aleksandr EB_NY
Cc: Squid Users
Subject: Re: [squid-users] SOS with squid_ldap_auth !!

On Fri, 13 Jan 2006, Meyerovich Aleksandr EB_NY wrote:

> Are there any debugging switches for squid_ldap_auth to get something
> more descriptive than ERR?

-d gives you some details. But there isn't much it can give. Most
operations is of "works/fails" nature mainly depending on getting the
configuration right.

There is only two configuration steps involved:

  1. The binddn needs to be correct. (-D -w options)

  2. The search filter needs to find/match the users correctly. (-b -f
options, and perhaps -R)

Most of the other options are not relevant in MSAD setups.

> - I can reach the MSAD LDAP server by short name as well as FQDN
> - squid_ldap_auth compiled with no problems:
> ldd squid_ldap_auth
> - I tried all example formats in the manual page with filters and
> without
> - tried cn attr as well as sAMAccountName
> - With -D and -w and without.

Have you got the search bind DN and password correct? Most MSAD setups
won't give you much information at all unless you first authenticate to
the AD.. On the nice side it seems you can use shortnames (i.e.
user@your.ad.domain) as the binddn.

If you are in doubt I recommend first exploring your MSAD with LDAP
tools.
It is a lot easier to understand what is required to get squid_ldap_auth

running smoothly if you first get normal LDAP tools working right...

Regards
Henrik
Received on Thu Feb 16 2006 - 13:14:52 MST