Re: [squid-users] Squid - Domino LDAP Auth (and a little Websphere SSO)

From: Amos Jeffries <[email protected]>
Date: Fri, 30 Nov 2007 11:45:22 +1300 (NZDT)

>
> Greetings,
>
> Have a bit of a problem trying to get Squid authentication working against
> a Lotus Domino LDAP directory. The actual authentication part is OK, if I
> want everyone in my Domino directory to have access through Squid it is
> not a problem, the real issue arises when I try to filter it based on
> group membership.
>
> I have been through all the past mailing list articles in regards to this
> topic, and I've tried a whole bunch of different things, and I'm not
> having any luck (my LDAP skills are weak)
>
> Taking a step back, what I'm actually trying to acheive here is single
> sign on between IBM Websphere Portal 6.0 and Squid (2.5.STABLE3), so that

Step 1) upgrade your squid to latest release. 2.5 is way obsolete.

> after my users sign on to Portal, they are not prompted for their internet
> password when they try to visit external sites linked from the portal.
> Websphere is already using the Domino LDAP for user authentication, so I
> figured that getting the 2 apps authenticating from the same place is a
> good start.
>
> Please find below the relevent pieces of my current squid.conf, if anyone
> could shed any light as to what I'm doing incorrectly here, it would be
> greatly appreciated.
>
>
> --------------------------------------
>
> # TAG: auth_param
>
> auth_param basic program /usr/lib/squid/squid_ldap_auth -b "" -f uid=%s
> xx.xx.xx.xx
> --------------------------------------
> # TAG: external_acl_type
>
> external_acl_type inetusers %LOGIN /usr/lib/squid/squid_ldap_group -b ""
> -f "(&(cn=%g)(objectClass=groupOfNames)(member=%u))" -F
> "(&(uid=%s)(objectClass=Person))" xx.xx.xx.xx
> --------------------------------------
> # TAG: acl
>
> acl ldap_password proxy_auth required
> acl inet_users external inetusers ProxyUsers
> --------------------------------------
> # TAG: http_access
>
> http_access allow inet_users
> http_access allow localhost
> http_access deny all
> --------------------------------------
>
> I hope that this is enough information to show what it is that I am doing,
> I'm pretty sure those are all the relevent bits. Note that without the
> external ACL, the authentication works perfectly. I would like to restrict
> access to members of the LDAP group "ProxyUsers".
>
> I look forward to any assistance.
>
> Regards,
>
> Chris Mitchell
>
>
>
Received on Thu Nov 29 2007 - 15:45:37 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:03 MST