[squid-users] Squid 2.5 STABLE1 + Ldap authentication... dazed and confused...

From: David H�hn <[email protected]>
Date: Tue, 01 Oct 2002 15:16:06 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hello mailing list.

I will be the first to admit, that I am neither a squid guru nor an LDAP
master and after reading the documentation upa nd down, as well as
torturing google with no result, you are all my last resort.

I am trying to authenticate users against an OpenLDAP server. For that
purpouse I installed the squid_auth_ldap.2.0.2 authenticator program by
Casper Pedersen.

I had to adapt his README instructions a bit, since he wrote this for 2.4
and not 2.5. So please correct me, if I am wrong or tell me if there is a
better working ldap authenticator.

My auth section looks as follows:

auth_param basic program /usr/lib/squid/squid_auth_ldap -f
/etc/squid/squid_auth_ldap.conf
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Further down the road I tried to set acl and http_access values, those look
like this:

acl password proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl parent src 172.16.1.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

So far so good... now I tried my best setting up the http_access
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow password
http_access deny all

Now, this looked good, I restarted squid, the ldap helper told me it was
happy and ready to answer requests and then things started getting funny.
I am trying to read entries in the for of this from our ldap tree:
# developer, People, udev.uptime.at
dn: uid=developer,ou=People,dc=udev,dc=uptime,dc=at
uid: developer
cn: developer
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 512
gidNumber: 100
homeDirectory: /home/developer
gecos: developer
userPassword:: e1NNRDV9V3FITE0xU6toNFJFUml0d2piMzA0WFY1N093PQ==

So, i am searching within dc=udev,dc=uptime,dc=at for uid or cn and compare
the password against userPassword.

Konqueror on KDE 3.0.3 tells me "You proxy authorization failed, would you
liek to try again"
Mozilla 1.1 tells me "Connection to xxx refused" where xx is the site Ia m
trying to open
IE 5.2.2 on mac os X tells me nothing and after about 2 minutes "Permission
denied, authorization failed".

Mozilla, nor IE leave any traces in access.log, only konqueror does with
blah blah permissiond enid blah..

I am _very_ confused, is my acl not right? did I fuck up witht he ldap
parameters or have aliens taken over my brain?

I would appreciate it, if there are working ldap auth schemes with s.5 out
there and people could drop me a line to hint me towards teh right
direction. Thank you very much

- -- "Hell, there are no rules here-- we're trying to accomplish something."
- -- Thomas Alva Edison

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (Darwin)

iD8DBQE9maAMzaw9WRklNbkRA/UfAJ4pAHBJhUs0Lm4IG9ref9wOTJbOKACcCGF0
gZsOzgbnz3nT2XF21W3T5PY=
=ux3n
-----END PGP SIGNATURE-----
Received on Tue Oct 01 2002 - 07:16:10 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:33 MST