[squid-users] Problem with squid_ldap_group

From: Clint Dilks <clintd_at_waikato.ac.nz>
Date: Thu, 10 Mar 2011 13:29:20 +1300

Hi Everyone

I am encountering an issue with this module which I don't understand.

Stage 1

Setup LDAP Authentication with the following in squid.conf

auth_param basic program /usr/lib64/squid/squid_ldap_auth -b
"ou=People,dc=cms,dc=waikato,dc=ac,dc=nz" -f "uid=%s" localhost

acl ldapauth proxy_auth REQUIRED

http_access allow ldapauth

Everything works as expected Great :)

Stage 2 Work out what needs to be passed to squid_ldap_group

After some searching of the web I come up with the following

 /usr/lib64/squid/squid_ldap_group -d -b
"ou=People,dc=cms,dc=waikato,dc=ac,dc=nz" -f
'(&(uid=%u)(memberof=cn=%g,ou=groups,ou=people,dc=cms,dc=waikato,dc=ac,dc=nz))'
localhost

And Testing this manually leads to the correct responses. clint is a
non-existant user clintd is a valid user who is a member of tsg,mysql and
staff

clint tsg
Connected OK
group filter
'(&(uid=clint)(memberof=cn=tsg,ou=groups,ou=people,dc=cms,dc=waikato,dc=ac,dc=nz))',
searchbase 'ou=People,dc=cms,dc=waikato,dc=ac,dc=nz'
ERR
clintd mysql
Connected OK
group filter
'(&(uid=clintd)(memberof=cn=mysql,ou=groups,ou=people,dc=cms,dc=waikato,dc=ac,dc=nz))',
searchbase 'ou=People,dc=cms,dc=waikato,dc=ac,dc=nz'
OK
clintd student
Connected OK
group filter
'(&(uid=clintd)(memberof=cn=student,ou=groups,ou=people,dc=cms,dc=waikato,dc=ac,dc=nz))',
searchbase 'ou=People,dc=cms,dc=waikato,dc=ac,dc=nz'
ERR
clintd staff
Connected OK
group filter
'(&(uid=clintd)(memberof=cn=staff,ou=groups,ou=people,dc=cms,dc=waikato,dc=ac,dc=nz))',
searchbase 'ou=People,dc=cms,dc=waikato,dc=ac,dc=nz'
OK

So I add the following to my squid.conf file

external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -d -b
"ou=People,dc=cms,dc=waikato,dc=ac,dc=nz" -f
'(&(uid=%u)(memberof=cn=%g,ou=groups,ou=people,dc=cms,dc=waikato,dc=ac,dc=nz))'
localhost

acl mysql external ldap_group mysql

And edit the access rule to become
http_access allow ldapauth mysql

Squid parse and loads the configuration. If I attempt to authenticate as
the valid user clintd, but with an incorrect password I am prompted to
re-enter the password. If I supply valid auth information for the user
clintd. I get a page saying squid is denying my request. Why is this ?? I
could understand if Im passing an invalid command line to squid_ldap_group
but testing it manually seems to work correctly.

As this is a non-production squid configuration at present I have removed
all other acls and etc that may have been interfering but still see the same
behavior. Does anyone have an idea what I am doing wrong or suggestions as
to how I trouble shoot this further.

I am using squid-2.6.STABLE21 via CentOS 5 rpm
squid-2.6.STABLE21-6.el5.x86_64

Thank you for your time

Clint Dilks
Received on Thu Mar 10 2011 - 00:29:22 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 10 2011 - 12:00:02 MST