[squid-users] LDAP/idiot problem!

Hi everyone

I'm looking for some inspiration because I am drawing a complete blank! A
few years ago I set up my company's squid boxes - a pair of servers both
identically configured and using LDAP authentication against an Active
Directory domain. It took quite some time to get it all working properly
but eventually it all got going and ran smoothly. I then left the company
for a spell and now find myself back and detailed with rebuilding the
squid servers onto newer boxes because the hardware is a little long in
the tooth and now the software is too - the original servers were on RHEL
3 boxes and the subscriptions to get updates were never renewed.

One of the servers failed and has been replaced with a newer box which I
have built, as instructed, with CentOS 5. All seems okay but when I
transplant the config file from the (now very hard-working) live machine I
am getting an LDAP error with the lookup. Clearly I either missed
installing something fundamental when I built the server (the idiot
scenario) or something has changed syntactically with the options but I
have searched diligently through the man pages and can't find any reason
why what did work no longer works.

Here is the line from squid.conf working on the live box (2.5.STABLE3):

auth_param basic program /usr/lib/squid/squid_ldap_auth
-b "dc=cs-plc,dc=salvesen,dc=com"
-D "cn=Ldap User,ou=users,ou=ND House (slh /
wel),ou=UK,dc=cs-plc,dc=salvesen,dc=com" -w (password)
-f "(&(sAMAccountName=%s)(memberOf=CN=InternetUsers,OU=Groups,OU=ND House
(slh / wel),OU=UK,DC=cs-plc,DC=salvesen,DC=com))"
-h 10.1.2.1
-p 3268

The new box where this doesn't work is at 2.6.STABLE6. Attempts to
authenticate result in the logfile showing:

squid_ldap_auth: WARNING, LDAP search error 'Bad search filter'

Has anybody got any insight? At present I've cut back the filter to -f
"sAMAccountName=%s" which is at least forcing authentication but not
checking the group membership.

Ian Large

Please consider your environmental responsibility:
Before printing this e-mail or any other document, ask yourself whether you need a hard copy.

--------------------------------------------------------------------------------

For information on Norbert Dentressangle visit our website at www.norbert-dentressangle.com.

The information contained in this e-mail is strictly confidential and for the use of the addressee only; it may also be legally privileged and / or price sensitive. Notice is hereby given that any disclosure, use or copying of the information by anyone other than the intended recipient is prohibited and may be illegal. If you have received this message in error, please notify the sender immediately by return e-mail.

We have taken every reasonable precaution to ensure that any attachment to this e-mail has been swept for viruses. However, we cannot accept liability for any damage sustained as a result of software viruses and would advise that you carry out your own virus checks before opening any attachment.

Groupe Norbert Dentressangle SA (RCS Romans 309 645 539 00037) is the ultimate holding company within the Norbert Dentressangle group of companies, whose registered office is at Les Pierrelles BP98 - Beausemblant 26241 Saint-Vallier-sur-Rhone Cedex, France.
Received on Mon Oct 13 2008 - 12:35:20 MDT