Re: [squid-users] Squid3 and authenticating users SASL/MYSQL

On Wed, 28 Apr 2010 23:18:14 +0200, Simon Brereton
<simon.brereton_at_dada.net> wrote:
> Hi
>
> I have set up Squid3 and it's all working as I expect and now I'm trying
> to authenticate my users. Since this is not within my network, I can't
use
> an IP acl.
>
> I would like to use MYSQL preferably, but since my users already use
SASL,
> that would be an option too. I'm running Debian Etch and the latest apt
> version of Squid3...
>

A general note;
 Etch is soon to be on the pile of obsolete Deabian release. If you can
please upgrade to the current Debian stable.
 Worst case please upgrade to the backports.org version of squid3.

> donald:~# /usr/sbin/squid3 -v
> Squid Cache: Version 3.0.PRE5
> configure options: '--build=i486-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var'
> '--libe
> xecdir=${prefix}/lib/squid3' '--disable-maintainer-mode'
> '--disable-dependency-tracking' '--srcdir=.'
'--datadir=/usr/share/squid3'
> '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man'
'--with-cppunit-basedi
> r=/usr' '--enable-inline' '--enable-async-io=8'
> '--enable-storeio=ufs,aufs,coss'
> '--enable-diskio=AIO,Blocking,DiskDaemon,DiskThreads'
> '--enable-removal-policies=lru,heap' '--enable-poll' '--enable-digest-po
> ols' '--enable-snmp' '--enable-htcp' '--enable-select' '--enable-carp'
> '--enable-large-files' '--enable-underscores'
> '--enable-auth=basic,digest,ntlm'
> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB
> ,YP,getpwnam,multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB'
> '--enable-digest-auth-helpers=ldap,password'
>
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
> '--with-filede
> scriptors=4096' '--enable-epoll' '--enable-linux-netfilter' 'CC=cc'
> 'CFLAGS=-g -Wall -O2' 'CPPFLAGS=' 'CXXFLAGS=-g -Wall -O2' 'CXX=g++'
> 'LDFLAGS=' 'build_alias=i486-linux-gnu'
>
> My SASL set-up uses MYSQL to retrieve the password against the username
> from the Mail Database. I would like it to do the same here. So far, I
> only found this resource for authenticating with MYSQL
>
>
http://www.pubbs.net/200906/squid/3948-squid-users-custom-auth-not-working.html
>
> There is nothing about SASL in the manual - in fact, I only found it by
> accident.
>
> http://www.squid-cache.org/Versions/v3/3.1/cfgman/auth_param.html
>
>
> and this resource is not terrible verbose:
>
http://www.squid-cache.org/Versions/v3/HEAD/manuals/basic_sasl_auth.8.html
>

Any useful additions welcome. :)

>
> my squid.conf looks like this:
>
> 1742 auth_param basic program /usr/lib/squid3/sasl_auth
> /etc/postfix/sasl/smtpd.conf

Does it actually need the config file listed? My understanding was that
placing it in /usr/lib/sasl caused SASL to load it automatically as needed.

> 1743 auth_param basic children 5
> 1744 auth_param basic realm The Proxy
> 1745 auth_param basic credentialsttl 2 hours
> 1746 auth_param basic casesensitive off
>
> The smtpd.conf is the file sasl uses for authenticating smtp traffic, so
> it should be fine (i.e. defining the query, the db, the password, etc),
and
> although the prompt box is coming up, it's not validating the response
(at
> least not in the logs, even when I pushed the log level up to 9. Trying
> /usr/sbin/squid3 from the commandline with -d9 -N gives me too much
> information although I'm trying now to trap it and see, but having spent
48
> hours to get this far, I thought I'd ask. It's probably as simple as
> fixing line 1742, but I'd appreciate any pointers in doing that.
>

If this way gets too much there are two other helpers which may be an
option for you:
  POP3 helper (squid tries to use the credentials to login to the POP
server and uses the success/fail result from that).
  DB helper (Squid passes an SQL query direct to the MySQL database. Using
the success/fail of that as the result)

Amos
Received on Thu Apr 29 2010 - 00:36:09 MDT