Re: [squid-users] Configuring authentication with ldap_auth and two domains?

From: Matthias Dettling <[email protected]>
Date: Sat, 09 Apr 2005 23:13:08 +0200

grolschie wrote:
> Repost, as the first never came through at my end.
> Sorry if it's a dupe.
>
> ---
> Hi y'all.
>
> I have searched through the docs, and cannot find
> alot on ldap_auth. I use Squid + LDAP instead of
> SMB to authenticate against our 2003 Server. The
> problem is that we have two domains that I wish to
> authenticate against. Is it possible to do this
> with Squid and LDAP?
>
> Here is my current method:
>
> ##################
> auth_param basic program
> /usr/lib/squid/ldap_auth -R -b
> "dc=my,dc=domain,dc=org" -D
> "cn=Administrator,cn=Users,dc=my,dc=domain,dc=org"
> -w "mypassword" -f sAMAccountName=%s -h
> 192.168.1.1
>
> auth_param basic children 5
> auth_param basic realm Our Proxy
> auth_param basic credentialsttl 5 hours
>
> acl localnet proxy_auth REQUIRED src
> 192.168.1.0/24 192.168.100.0/24
>
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> ###################
>
> Is it possible to add another sub-domain into this
> equation to authenticate against? Our two domains
> are on the two networks listed above in localnet
> ACL, although our sub-domains DC has an IP address
> on both networks. I am not sure how to specify two
> domains and two domain controller IP's in the
> above.
>
> Sorry if this is a n00b question. I am kinda stuck
> and you seem to know alot about this field. And
> tips, greatly received. Thanks in advance.
>
> regards,
> grolschie
>
>
>
Hello grolschie,

there are sure better solutions, but my one works too.
Instead of writing
"auth_param basic program /usr/lib/squid/ldap_auth ..."
you can use a shell script like that
auth_param basic program /shell/script.

The only thing your script should do is write out "OK" or "ERR" to
stdout dependant on the result of your evaluation with
/usr/lib/squid/ldap_auth.
Tutorials on writing shell scripts can be found much on the net.

I hope this helps.

Regards
Matthias
Received on Sat Apr 09 2005 - 15:12:53 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:03 MDT