Following up on myself...
On Fri, Mar 02, 2012 at 01:59:27PM +1030, Brett Lymn wrote:
>
> At the moment I am looking at setting up a LDAP proxy for the upstream
> to query and then use login=*:password in squid. This should allow me
> to make the upstream proxy believe it is authenticating so that it has
> the username it wants.
>
OK, I have good news/bad news about this approach. The good news is with
the help of:
http://www.openldap.org/lists/openldap-software/200010/msg00097.html
http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/13.html
I was able to create a shell backend - the script in the first link
didn't work well with the version of openldap I had but a merging of
bits of scripts from both pages gave me a working lookup. My shell
script just returns "OK" to a bind request. This gives the upstream
proxy what it wants to do "authentication". In the squid.conf I just
use "login=*:password" to feed the username and fixed password to the
upstream. This works fine, squid passed up the username, upstream looks
in ldap, ldap says "ok". Happy days.
The bad news is even though the username gets validated by the upstream
when it does the logging only the accesses using basic authentication
work - accesses using kerberos authentication work _but_ the username is
missing from the upstream reporting logs. It _is_ happy with the auth
but for some reasons best known to itself the details don't get fed into
the log *sigh* I did a bit of a troubleshoot on this and found that
when using kerberos the username is "user_at_OUR.AD.DOMAIN", my ldap script
just strips the domain and feeds back the DN for the user fine but the
upstream won't report the user to it's logging server. I tested this by
changing the squid.conf to have "login=*@OUR.AD.DOMAIN:password" and
then the upstream fails to log the user when basic authentication is
used just like kerberos case.
So, it seems that I need to strip the username back to just a bare name.
From what Amos said earlier it seems I can do this with an external
acl, if I use this acl will the username be available for login=*? or do
I need to use login=PASS? If I use login=PASS will I still get
authentication on squid as well? (I really need squid to auth the
client) or is there another way I can mangle the username to my needs?
-- Brett Lymn "Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer."Received on Wed Mar 07 2012 - 01:23:21 MST
This archive was generated by hypermail 2.2.0 : Wed Mar 07 2012 - 12:00:02 MST