Hi Tom,
squid_kerb_ldap does not authenticate a user. It just looks up membership
info and can not replace squid_ldap_auth
Markus
"Tom Tux" <tomtux80_at_gmail.com> wrote in message
news:AANLkTimYbsVmRsy7a7mhbaAZvfv63WDFUX1i5WD6TcS+@mail.gmail.com...
> Hi
>
> I've implemented a native kerberos-authentication with squid_kerb_auth
> and squid_kerb_ldap to query ad-group-memberships. This works fine.
> I'm trying to implement a fallback-mechanism with squid_ldap_auth.
>
> But the squid_ldap_auth-fallback is not working. My config looks like
> this:
> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i
> auth_param negotiate children 50
> auth_param negotiate keep_alive on
> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "InternetUsers"
> acl INTERNET_ACCESS external SQUID_KERB_LDAP
>
> external_acl_type SQUID_DENY_KERB_LDAP ttl=3600 negative_ttl=3600
> %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g
> "DenyInternetUsers"
> acl DENY_INTERNET_ACCESS external SQUID_DENY_KERB_LDAP
>
>
> # LDAP-Fallback
> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R
> -v 3 -b "dc=xx,dc=yy" -D "cn=binduser,dc=xx,dc=yy" -w "something" -f
> "(&(&(objectClass=Person)(sAMAccountName=%s))(memberOf=cn=InternetUsers,DC=xx,DC=yy))"
> -c 3 -h ldaps://xx.xx.xx.xx -h ldaps://xx.xx.xx.xx
> auth_param basic children 20
> auth_param basic realm "Internet Access"
> auth_param basic credentialsttl 2 hour
> acl INTERNET_ACCESS_LDAP proxy_auth REQUIRED
>
> http_access deny DENY_INTERNET_ACCESS
> http_access allow INTERNET_ACCESS
> http_access allow INTERNET_ACCESS_LDAP
>
>
>
> How do I have to implement the fallback-ldap? Do I need the
> "external_acl"-directive? Can I realise the fallback-mechanism also
> with squid_kerb_ldap?
>
> Thanks a lot.
> Kind regards,
> Tom
>
Received on Mon Aug 09 2010 - 21:27:39 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 10 2010 - 12:00:02 MDT