[squid-users] Squid/ldap authentication via Novell NDS

From: Daniel Lim <[email protected]>
Date: Fri, 29 Apr 2005 09:39:30 +1000

Hi,
I am using Squid-2.5-STABLE7 as proxy on SLES 8 for users to
authenticate the browser access to the internet, the password
authentication works well until the Novell NDS changed to a new tree
structure which I have also changed accordingly in the squid.conf.

The old NDS tree that had worked well with squid LDAP settings are as
follow:
==============================================
Old NDS LDAP structure, cn=proxy,ou=access,ou=mckell,o=dpws

Squid.conf auth_param and external acl type;
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b
o=dpws -f cn=%s pws-is2-nsrv

external_acl_type ldap_group concurrency=5 %LOGIN
/usr/local/squid/libexec/squid_ldap_group -s sub -b
ou=access,ou=mckell,o=dpws -f (&(cn=%g)(uniquemember=%u)) -B o=dpws -F
(cn=%s) pws-is2-nsrv

acl WEBGROUP external ldap_group Proxy

The NEW NDS's tree that failed to work with squid has the following
settings:
==============================================
New NDS LDAP structure, cn=proxy,ou=People,o=commid

Squid.conf auth_param and external acl type;
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b
o=commid -f cn=%s EDIR1NW
external_acl_type ldap_group concurrency=5 %LOGIN
/usr/local/squid/libexec/squid_ldap_group -s sub -b ou=People,o=commid
-f (&(cn=%g)(uniquemember=%u)) -B o=commid -F (cn=%s) EDIR1NW
acl WEBGROUP external ldap_group Proxy

I used tcpdump to monitor LDAP packets between the client and the new
NDS server EDIR1NW and saw the ldap packets communicating. I can not see
any messages/erros why the authentication failed. I don't believe there
is anything wrong with the new NDS server because other Novell clients
work well with it.

Can someone please shed light on this problem.
Many thanks.

Regards,
Daniel Lim
NSW Dept. of Commerce
Sydney

******************************************************************************

This email message, including any attached files, is confidential and intended solely for the use of the individual or entity to whom it is addressed.

The NSW Department of Commerce prohibits the right to publish,
copy, distribute or disclose any information contained in this email,
or its attachments, by any party other than the intended recipient.
If you have received this email in error please notify the sender and delete it from your system.

No employee or agent is authorised to conclude any binding
agreement on behalf of the NSW Department of Commerce by email. The views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Department,
except where the sender expressly, and with authority, states them to be the views of NSW Department of Commerce.

The NSW Department of Commerce accepts no liability for any loss or damage arising from the use of this email and recommends that the recipient check this email and any attached files for the presence of viruses.

******************************************************************************
Received on Thu Apr 28 2005 - 17:39:45 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:04 MDT