Re: [squid-users] Configuring authentication with ldap_auth and two domains?

From: D & E Radel <[email protected]>
Date: Wed, 13 Apr 2005 15:14:47 +1200

 Matthias Dettling wrote:
> >
> >
> >>Hello grolschie,
> >>
> >>as I know %s isn't a variable that is passed
to
> >>/usr/lib/squid/ldap_auth, instead it is a
> >
> > variable from that program,
> >
> >>which tells it, that %s must be replaced with
> >
> > the username.
> >
> >>By the way parameters of a shell script can be
> >
> > found in $1, $2, ...
> >
> >>The name, password pair is passed to the
script
> >
> > by the auth_param basic
> >
> >>program command. What you have to do is
reading
> >
> > from stdin and pass it
> >
> >>to all of your /usr/lib/squid/ldap_auth
commands
> >
> > in the script and then
> >
> >>evaluate the result.
> >>
> >>Reading from stdin, can be done by something
> >
> > like this:
> >
> >>--------------------
> >>#!/bin/sh
> >>
> >># reading stdin
> >>INP=`cat`
> >>
> >># pass stdin to /usr/lib/squid/ldap_auth
> >>DOM1=`echo $INP | /usr/lib/squid/ldap_auth
...`
> >>DOM2=`echo $INP | /usr/lib/squid/ldap_auth
...`
> >>...
> >>--------------------
> >>
> >>Now the only thing you have to do is evaluate
> >
> > DOM1, DOM2, ... if one of
> >
> >>it equals to "OK". And depending on this
execute
> >
> > echo "OK" or echo "ERR".
> >
> >>I hope this helps.
> >>
> >>Regards
> >>Matthias
> >
> >
> > Wow! Thanks big time Matthias! :-)
> >
> > So the evaluation should be something like
this?
> >
> > if [$DOM1="OK"]; then
> > echo "OK"
> > elif [$DOM2="OK"]; then
> > echi "OK"
> > else
> > echo "ERR"
> > fi
> >
> > I would never had got that " INP=`cat`" and
"echo
> > $INP" stuff. I would've feebly attempted
something
> > like this:
> > DOM1=`/usr/lib/squid/ldap_auth ...`
> > DOM2=`/usr/lib/squid/ldap_auth ...`
> >
> > ...followed by the above evaluation.
> >
> > Thanks alot for your help. I shall give this a
> > blast tomorrow when I am in front of the box.
> >
> > Kind regards,
> > grolschie
> >
> >
> Hello grolschie,
>
> yes, that's it, what I meant.
> But note that there is a little typo.
> Instead of echi you should of course write echo.
> Then it should work.
> Please tell me about the result of your attempt.
>
> Regards
> Matthias

Hi Matthias (and anyone else reading this)

I have tried the solution and cannot get it
working. I replaced this line:
    auth_param basic program
/usr/lib/squid/ldap_auth ......
with reference to my script:
    "auth_param basic program
/etc/squid/multi_domains.sh"

The /etc/squid/multi_domains.sh was chmod 777'ed
and contains:

    #!/bin/sh

    # Reading stdin from Squid
    INP=`cat`

    # Pass stdin to /usr/lib/squid/ldap_auth
        DOMAIN1=`echo $INP |
/usr/lib/squid/ldap_auth -R
            -b "dc=......"
            -D
"cn=Administrator,cn=Users,dc=..........."
            -w "........." -f sAMAccountName=%s -h
192.168.1.1`

     # Just spit out the result for now
     echo $DOMAIN1

Note that this was just a test to make sure the
first part worked before querying two domains and
evaluating. The result was that I received the
authentication prompt in my browser. If I got the
password wrong it would ask upto 2 more times then
access denied, but if I got it correct the browser
would just hang then time-out.

Something weird is going on, because if I add the
following command to the beginning, it gets
ignored when ldap_auth calls it:
    echo "hello" >/etc/squid/tmp.txt

Or is that just a permissions issue? If I run the
script from console, it writes the tmp.txt file.

The fact that authentication fails on bad password
and hangs on ok password tells me that the LDAP
part is working. However, the passing of the
stdout back to Squid does not seem to be working.
The weird thing is that Squid knows when I get the
password wrong 3 times.

Regards,
Dietrich (aka grolschie)
Received on Tue Apr 12 2005 - 21:14:15 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:03 MDT