[squid-users] problems Squid auth with Active Directory with LDAP module from kRiZiO LoRd on 2007-01-22 (squid-users)

From: kRiZiO LoRd <krizio@dont-contact.us>
Date: Mon, 22 Jan 2007 21:39:40 +0100

Hello!

I'm working in a pre-production enviorement with virtual machines, one
running squid in a debian etch trying to auth the users with an Active
Directory installed in other virtual machine running MS Windows 2003
Server.
Before this I success auth with unix passwords file without problems.
Now I'm following this guide to auth trought LDAP with Active
Directory -->
http://papercut.biz/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory

This is part of my squid.conf where I specify auth module:
# -- PRUEBA AUTH LDAP contra AD
auth_param basic program /usr/lib/squid/ldap_auth -R -b
"dc=raah,dc=local" -D "cn=Administrador,cn=squid
_users,ou=Users,dc=raah,dc=local" -w "admin" -f sAMAccountName=%s -h
192.168.0.90
auth_param basic children 5
auth_param basic realm ACMEProxy
auth_param basic credentialsttl 5 minutes

and this is de ACL adapted to my enviorement:
# Mi ACL contra AD
external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R
-b "dc=raah,dc=local" -D "cn=Administrador,ou=Users,dc
=raah,dc=local" -w "admin" -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Users,dc=raah,dc=local))"
-h 192.168.0.90
acl localnet proxy_auth REQUIRED src 192.168.0.0/24
acl InetAccess external InetGroup squid_users
http_access allow InetAccess
The Active directory machine has 192.168.0.90 as IP, user
"Administrador", password "admin". The users that I want to allow
connect are in Active Directory group called "squid_users" at
Organizative Unit "Users" at domain " raah.local"

The browser ask for user and password but never works with real users

At process list at squid machine I can see that, for checking my
parameter are launched correctly
proxy 5457 0.0 0.1 3500 840 ? Ss 14:09 0:00
(ldap_auth) -R -b dc=raah,dc=local -D cn=Administrador,cn=squid
_users,ou=Users,dc=raah,dc=local
proxy 5464 0.0 0.1 3496 836 ? Ss 14:09 0:00
(squid_ldap_group) -R -b dc=raah,dc=local -D
cn=Administrador,ou=Users,dc=raah,dc=local -w admin

At access.log squid I obtain these when try to auth with "moi" users,
he is at squid_users group. I don't know why the username is followed
my NONE. I tryed writing RAAH\moi too, but it did not works, but at
log appears without capital letters.

1169474464.947 65 192.168.0.40 TCP_DENIED/407 1847 GET
http://www.google.com/ moi NONE/- text/html
1169474465.025 64 192.168.0.40 TCP_DENIED/407 1847 GET
http://www.google.com/ moi NONE/- text/html
1168934037.153 374 192.168.0.40 TCP_DENIED/407 1822 GET
http://www.google.com/ raah\moi NONE/- text/html

I install an sniffer at AD machine for know that is reciving this
machine from the auth but I can't see nothing understanding.

My theory is that the LDAP path is not ok, becouse I check a few VBS
scripts using the LDAP path without working ok, see examples here
http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/default.mspx?mfr=true

I check doc about this but nothing works
any idea what to do?

Thanks a lot!

-- 
----------------------------------------------
      --- ~O
 ----- _`\<;_
 ---  (_)/\(_)
kRiZiO
mailto:krizio@gmail.com
http://www.krizio.com
----------------------------------------------

Received on Mon Jan 22 2007 - 13:39:49 MST

This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST