[squid-users] RE: Squid + ldap +ssl Secure authentication

From: Vootla, Bhagwan <Bhagwan.Vootla@dont-contact.us>
Date: Fri, 15 Jun 2007 12:42:20 -0400

Thanks Henrik.

I have the link created to my cert as you suggested.

[root@proxy2 cacerts]# ls -altr
total 32
-rw-r--r-- 1 root root 4245 Jan 18 11:41 cert.pem
drwxr-xr-x 2 root root 4096 Jan 18 11:42 .
lrwxrwxrwx 1 root root 8 Apr 24 16:57 9ac40248.0 -> cert.pem
drwxr-xr-x 3 root root 4096 Jun 15 12:22 ..
[root@proxy2 cacerts]# pwd
/etc/openldap/cacerts

Using -Z option still returns me "Could not Activate TLS connection"
I also tried with -p 636, which does not return me anything . Somehow I
need to implement this to meet the deadline (tomorrow).

Can you/someone please help in configuring ?

Fyi: I have the connectivity over 636 port to my ldap server from proxy
server.

Thanks a ton.

Bhagwan

-----Original Message-----
From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
Sent: Thursday, June 14, 2007 10:25 AM
To: Vootla, Bhagwan
Cc: squid-users@squid-cache.org; squid-dev@squid-cache.org
Subject: Re: Squid + ldap +ssl Secure authentication

tor 2007-06-14 klockan 07:47 -0400 skrev Vootla, Bhagwan:

> 1) I have read that SSL encryption can be achieved from proxy
> server to ldap server only. How can I achieve from browser to proxy
> server ?

Squid has all the support that is needed on the proxy side of things for
this, by using the https_port directive.

However, there is no known browsers supporting SSL to proxies.

> 2) I created a cert in /etc/openldap/cacerts/cert.pem. How do I
> tell squid_ldap_auth to use this cert and encrypt the password. (my
ldap
> server listens on 389,636 ports).

By asking it to use TLS.

> I also tried with -Z option from the command line, But I get "Could
not
> Activate TLS connection"

Then it probably didn't find the CA certificate. /etc/openldap/cacers is
an openssl hashed certificate directory. It's not sufficient to just
place the certificate file there, it also needs to be named properly for
OpenSSL to find it..

There is a tool somewhere which sets up symbolic links for the hashed
certificate names, unfortunately I don't remember it's name. But the
following should work:

cd /etc/openldap/cacerts/
ln cert.pem `openssl x509 -in cert.pem -hash -noout`.0

Also make sure the file is world-readable.

chmod a+r cert.pem

Regards
Henrik
Received on Fri Jun 15 2007 - 10:42:31 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT