[squid-users] Squid - Domino LDAP Auth (and a little Websphere SSO)

From: Chris Mitchell <[email protected]>
Date: Fri, 30 Nov 2007 09:35:44 +1100 (EST)

Greetings,

Have a bit of a problem trying to get Squid authentication working against
a Lotus Domino LDAP directory. The actual authentication part is OK, if I
want everyone in my Domino directory to have access through Squid it is
not a problem, the real issue arises when I try to filter it based on
group membership.

I have been through all the past mailing list articles in regards to this
topic, and I've tried a whole bunch of different things, and I'm not
having any luck (my LDAP skills are weak)

Taking a step back, what I'm actually trying to acheive here is single
sign on between IBM Websphere Portal 6.0 and Squid (2.5.STABLE3), so that
after my users sign on to Portal, they are not prompted for their internet
password when they try to visit external sites linked from the portal.
Websphere is already using the Domino LDAP for user authentication, so I
figured that getting the 2 apps authenticating from the same place is a
good start.

Please find below the relevent pieces of my current squid.conf, if anyone
could shed any light as to what I'm doing incorrectly here, it would be
greatly appreciated.

--------------------------------------

# TAG: auth_param

auth_param basic program /usr/lib/squid/squid_ldap_auth -b "" -f uid=%s
xx.xx.xx.xx
--------------------------------------
# TAG: external_acl_type

external_acl_type inetusers %LOGIN /usr/lib/squid/squid_ldap_group -b ""
-f "(&(cn=%g)(objectClass=groupOfNames)(member=%u))" -F
"(&(uid=%s)(objectClass=Person))" xx.xx.xx.xx
--------------------------------------
# TAG: acl

acl ldap_password proxy_auth required
acl inet_users external inetusers ProxyUsers
--------------------------------------
# TAG: http_access

http_access allow inet_users
http_access allow localhost
http_access deny all
--------------------------------------

I hope that this is enough information to show what it is that I am doing,
I'm pretty sure those are all the relevent bits. Note that without the
external ACL, the authentication works perfectly. I would like to restrict
access to members of the LDAP group "ProxyUsers".

I look forward to any assistance.

Regards,

Chris Mitchell
Received on Thu Nov 29 2007 - 15:36:02 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:03 MST