Re: [squid-users] Squid3 and authenticating users SASL/MYSQL

From: Amos Jeffries <>
Date: Sat, 01 May 2010 18:16:07 +1200

Simon Brereton wrote:
>> -----Original Message-----
>> From: Amos Jeffries
>> Sent: Friday, April 30, 2010 1:26 AM
>>>>> my squid.conf looks like this:
>>>>> 1742 auth_param basic program /usr/lib/squid3/sasl_auth
>>>>> /etc/postfix/sasl/smtpd.conf
>>>> Does it actually need the config file listed? My understanding was
>>>> that placing it in /usr/lib/sasl caused SASL to load it
>> automatically
>>>> as needed.
>>> Interesting - part of the problem I guess is that I didn't really
>> understand the sasl mech when I set it up - and I can't really
>> remember what I did. I only have .h and .c files in /usr/lib/sasl -
>> after a bit of looking I found a file at /etc/default/saslauth that
>> seems to list the config options for sasl. What I don't seem to be
>> able to do at the moment is to tell /usr/lib/squid3/sasl_auth where
>> or to do what it needs to do. (The file /etc/postfix/sasl/smtpd.conf
>> tells saslauth what query to run on the DB to compare credentials.
>> I'll keep trying.
> Perhaps Ralf can help - since I largely set up SASL with his and Patrick's help *wave*
>>>>> Trying
>>>>> /usr/sbin/squid3 from the commandline with -d9 -N gives me too
>> much
>>>>> information although I'm trying now to trap it and see, but
>> having
>>>>> spent
>>>> 48
>>>>> hours to get this far, I thought I'd ask. It's probably as
>> simple
>>>> as
>>>>> fixing line 1742, but I'd appreciate any pointers in doing that.
>>>> If this way gets too much there are two other helpers which may be
>> an
>>>> option for you:
>>>> POP3 helper (squid tries to use the credentials to login to the
>> POP
>>>> server and uses the success/fail result from that).
>>>> DB helper (Squid passes an SQL query direct to the MySQL
>> database.
>>>> Using the success/fail of that as the result)
>>> Frankly, either would be fine.. In fact, that's all that SASL is
>> doing. The only reason I went for SASL was because it was the only
>> thing I could find that seemed relevant to my system. MYSQL would be
>> more than adequate since it removes the middle-man.. However, I
>> don't find documentation on this. Can you point me to some?
>>> I found this: http://www.squid-
>> but I can't find
>> on my system so I don't know what to put for the
>> auth_param basic program..
>> Thats manual you found is pretty much the entire documentation for
>> the DB helper. It does not mention that the --cond parameter can take
>> a whole string of complex condition if its quoted with "".
>> Luckily that latter is a perl script. I have a temporary copy here:
>> Just needs:
>> alter the @PERL@ in the first line
>> remove the file extension.
>> chmod / chown to the squid user with read/execute privileges.
>> configure squid.conf
> Forgive me for being an idiot. Sometimes what's clear to the person who wrote something is a complete black box to someone trying to use it (and I disclose I'm not techie, just a geek).
> That manual page doesn't say where these options should go. I presume on the command line (i.e. immediately following /usr/lib/squid3/basic_db_auth) as in
> /usr/lib/squid3/basic_db_auth --dsn=Mail --table=Accounts, etc.


> But is it --dsn=Mail or --dsn Mail (both are common in *nix world..)

I use a space between the option and quote the values like so:

  --dsn "DI:mysql:foo:database=ex"

have not really tested the = way though.

> Also, could I put my args in a file (say /etc/squid3/dbauth) and just have:
> /usr/lib/squid3/basic_db_auth /etc/squid3/dbauth

Not as far as I know. Though you could make a wrapper shell script that
runs the command and use that script in your squid.conf instead.

> Finally, I opted for editing basic_db_auth (I would have opened it up even if I didn't need to change the @PERL@ and when I saw the my options in there, I figured that would be easiest route). However - and this may not be related, I'm getting a seg fault.

If you realy want to go that way, the "my" bit is only their definition.
options are set later on after the documetation text.

> donald:~# /etc/init.d/squid3 start
> Starting Squid HTTP Proxy 3.0: squid32010/04/30 15:19:31.080| Processing: 'log_fqdn on'
> 2010/04/30 15:19:31.080| Processing: 'dns_nameservers'
> 2010/04/30 15:19:31.080| Processing: 'auth_param basic program /usr/lib/squid3/libexec/basic_db_auth '
> 2010/04/30 15:19:31.080| storeDirWriteCleanLogs: Starting...
> 2010/04/30 15:19:31.080| file_open: FD 5
> /etc/init.d/squid3: line 32: 19094 Segmentation fault start-stop-daemon --quiet --start --pidfile $PIDFILE --exec $DAEMON -- $SQUID_ARGS </dev/null
> failed!

I'd guess the "helper crashing too fast" which happens when the helpers
die on their own startup.


Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1
Received on Sat May 01 2010 - 06:16:19 MDT

This archive was generated by hypermail 2.2.0 : Tue May 04 2010 - 12:00:03 MDT