Re: [squid-users] Auth'ing to Novell eDirectory via LDAP (Re: Windows auto-login) from Henrik Nordstrom on 2009-09-24 (squid-users)

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Thu, 24 Sep 2009 23:34:53 +0200

tis 2009-09-22 klockan 13:31 -0500 skrev Dale Mahalko:

> We don't have domain controllers in novell's eDir, so "dc=" appears to
> be the wrong identifier for Novell's LDAP.

dc= is "Domain Component", not related to Domain Controllers.

It's just a different way of naming the LDAP tree, using the DNS name of
the organisation. This model makes it easier to interoperate between
different LDAP trees of different organisations compared to the o=
model.

> Instead, we have this thing called the Tree and the Org at the top
> level. I've played with trying random guesses like
> "cn=foo,ou=accounts,o=myorg,t=mytree" and it doesn't work.

Before using squid_ldap_auth I would recommend exploring your LDAP
server a bit using a LDAP browser. Most LDAP browsers can automatically
tell you what prefixes is being published.

> And does using "uid=" or "cn=" make a difference with AD vs eDir?

Yes. Which one to use depends on the structure of the LDAP tree.

> Also, what's with the commas and periods in LDAP vs Novell? Does it matter?
>
> Novell eDirectory: cn=user.ou=orgunit.o=org.t=tree
> LDAP: uid=some-user,ou=People,dc=yourcompany,dc=com

LDAP syntax is with comma.

> Novell eDirectory permits spaces in the names of objects. How do you
> deal with spaces in LDAP objects from the command line? Do you wrap
> the individual item with quotes or the whole LDAP path/context in
> quotes?

As you like. a" "b and "a b" and a\ b is all the same thing in shell
syntax.

But quoting the whole argument is recommended

> Also what is the debug option in the LDAP authenticator supposed to be
> used for? It does not appear to generate any useful output. I am
> looking for extensive debugging information to tell me why and how
> exactly it is or isn't working, like this:

It is not far from what you ask for. The -d option gives feedback on

* Search filter used, and the search base DN.
* Warns if the LDAP search returned nothing
* If search successful it tells which user DN it's trying to bind to
for verifying the password.

If you are using a search bind DN then the helper always warns if
failing to bind to that DN before performing the search. No -d option
needed for that warning.

Regards
Henrik
Received on Thu Sep 24 2009 - 21:34:58 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 25 2009 - 12:00:03 MDT