Re: [squid-users] Re: Native Kerberos (squid_kerb_auth) with LDAP-Fallback (squid_ldap_auth)

From: Tom Tux <tomtux80_at_gmail.com>
Date: Tue, 10 Aug 2010 06:55:56 +0200

Hi Markus

Thank you.
So, do you know, how I have to implement the fallback-mechnism with
squid_ldap_auth?

For instance, if I deny read-rights for the squid-user to the file
/etc/krb5.keytab, I would expect, that the squid_ldap_auth-mechanism
would authenticate the user with a password-prompt. But in my case: A
password-prompt appears (but not the right one....without the correct
realm) and I can enter the correct userid/pw -> no success. If I make
a native basic-authentication with squid_ldap_auth (without
combination with kerberos), then the authentication works fine.

Any hints for the fallback-configuration with squid_ldap_auth? Is
there even a way, to have a fallback-mechanism with squid_ldap_auth?

Thanks a lot.
Kind regards,
Tom

2010/8/9 Markus Moeller <huaraz_at_moeller.plus.com>:
> Hi Tom,
>
>  squid_kerb_ldap does not authenticate a user. It just looks up membership
> info and can not replace squid_ldap_auth
>
> Markus
>
> "Tom Tux" <tomtux80_at_gmail.com> wrote in message
> news:AANLkTimYbsVmRsy7a7mhbaAZvfv63WDFUX1i5WD6TcS+@mail.gmail.com...
>>
>> Hi
>>
>> I've implemented a native kerberos-authentication with squid_kerb_auth
>> and squid_kerb_ldap to query ad-group-memberships. This works fine.
>> I'm trying to implement a fallback-mechanism with squid_ldap_auth.
>>
>> But the squid_ldap_auth-fallback is not working. My config looks like
>> this:
>> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i
>> auth_param negotiate children 50
>> auth_param negotiate keep_alive on
>> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
>> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "InternetUsers"
>> acl INTERNET_ACCESS external SQUID_KERB_LDAP
>>
>> external_acl_type SQUID_DENY_KERB_LDAP ttl=3600 negative_ttl=3600
>> %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g
>> "DenyInternetUsers"
>> acl DENY_INTERNET_ACCESS external SQUID_DENY_KERB_LDAP
>>
>>
>> # LDAP-Fallback
>> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R
>> -v 3 -b "dc=xx,dc=yy" -D "cn=binduser,dc=xx,dc=yy" -w "something" -f
>>
>> "(&(&(objectClass=Person)(sAMAccountName=%s))(memberOf=cn=InternetUsers,DC=xx,DC=yy))"
>> -c 3 -h ldaps://xx.xx.xx.xx -h ldaps://xx.xx.xx.xx
>> auth_param basic children 20
>> auth_param basic realm "Internet Access"
>> auth_param basic credentialsttl 2 hour
>> acl INTERNET_ACCESS_LDAP proxy_auth REQUIRED
>>
>> http_access deny DENY_INTERNET_ACCESS
>> http_access allow INTERNET_ACCESS
>> http_access allow INTERNET_ACCESS_LDAP
>>
>>
>>
>> How do I have to implement the fallback-ldap? Do I need the
>> "external_acl"-directive? Can I realise the fallback-mechanism also
>> with squid_kerb_ldap?
>>
>> Thanks a lot.
>> Kind regards,
>> Tom
>>
>
>
>
Received on Tue Aug 10 2010 - 04:56:02 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 10 2010 - 12:00:02 MDT