[squid-users] Squid 3.0 STABLE2 LDAP Authentication Failing

Hi There,

This is my first message to the list. I had been working with Squid
for the last 3 months and until now I could do everything I wanted
without help.

Now I have a problem and so far could not resolve it by myself, hope
someone here knows how to solve it..

I just upgraded from 2.6Stable5 to 3.0Stable2. I was authenticating
users using LDAP, and this stopped working since I did the upgrade.
If I take out all the related commands about LDAP from the config, the
Squid runs OK. I tried manually to execute squid_ldap_group and is
working fine also.

The symptom is that the authentication popup never comes up, I just
receive a "Denied Access" message.

Here is what I have configured:
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -d
-v 3 -b "dc=[host],dc=[domain],dc=com" -D
"cn=squid,cn=users,dc=[host],dc=[domain],dc=com" -w [password] -f
sAMAccountName=%s -h Server_IP

auth_param basic children 5
auth_param basic realm XXXXXXXXX
auth_param basic credentialsttl 5 minutes

external_acl_type busca_el_grupo %LOGIN
/usr/local/squid/libexec/squid_ldap_group -v 3 -R -b
"dc=[host],dc=[domain],dc=com" -D
"cn=squid,cn=users,dc=[host],dc=[domain],dc=com" -w [password] -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,dc=[host],dc=[domain],dc=com))"
-h Server IP

acl Internet external busca_el_grupo [group]
acl ldap_auth proxy_auth REQUIRED

http_access allow Internet
http_access allow ldap_auth

Debug (ALL,5):
2008/03/14 08:25:16.238| ACLChecklist::preCheck: 0xd44368 checking
'http_access allow Internet'
2008/03/14 08:25:16.239| ACLList::matches: checking Internet
2008/03/14 08:25:16.239| ACL::checklistMatches: checking 'Internet'
2008/03/14 08:25:16.239| authenticateValidateUser: Auth_user_request was NULL!
2008/03/14 08:25:16.239| authenticateAuthenticate: broken auth or no
proxy_auth header. Requesting auth header.
2008/03/14 08:25:16.239| aclMatchAcl: returning 0 sending
authentication challenge.
2008/03/14 08:25:16.239| aclMatchExternal: busca_el_grupo user not
authenticated (0)
2008/03/14 08:25:16.239| ACL::ChecklistMatches: result for 'Internet' is 0
2008/03/14 08:25:16.239| ACLList::matches: result is false
2008/03/14 08:25:16.240| aclmatchAclList: 0xd44368 returning false
(AND list entry failed to match)
2008/03/14 08:25:16.241| ACLChecklist::markFinished: 0xd44368
checklist processing finished
2008/03/14 08:25:16.241| aclmatchAclList: async=1 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 1
2008/03/14 08:25:16.241| ACLChecklist::check: 0xd44368 match found,
calling back with 2
2008/03/14 08:25:16.241| ACLChecklist::checkCallback: 0xd44368 answer=2
2008/03/14 08:25:16.241| The request GET http://www.gmail.com/ is
DENIED, because it matched 'Internet'
2008/03/14 08:25:16.241| Access Denied: http://www.gmail.com/
2008/03/14 08:25:16.241| AclMatchedName = Internet
2008/03/14 08:25:16.241| Proxy Auth Message = <null>
2008/03/14 08:25:16.243| storeCreateEntry: 'http://www.gmail.com/'
2008/03/14 08:25:16.244| store.cc(366) new StoreEntry 0xbde8498
2008/03/14 08:25:16.244| MemObject.cc(76) new MemObject 0x9cf80ec
2008/03/14 08:25:16.246| storeKeyPrivate: GET http://www.gmail.com/
2008/03/14 08:25:16.246| StoreEntry::hashInsert: Inserting Entry
0xbde8498 key '4701868D6A5B27EE086C4E1DA47B76D2'
2008/03/14 08:25:16.247| StoreEntry::setReleaseFlag:
'4701868D6A5B27EE086C4E1DA47B76D2'
2008/03/14 08:25:16.247| Creating an error page for entry 0xb7de8498
with errorstate 0x9d97a98 page id 20

Any help will be much apreciated.

Thanks in advance!
Matias.
Received on Fri Mar 14 2008 - 10:23:20 MDT