Re: [squid-users] Squid - Domino LDAP Auth (and a little Websphere SSO)

From: Amos Jeffries <[email protected]>
Date: Fri, 30 Nov 2007 14:21:08 +1300 (NZDT)

>
> Happy to do it if it'll make this exercise easier, any particular reason
> why ?

I already mentioned 2.5 being obsolete. Support, Security, Speed,
Stability, Simplicity for a few more.

 - Most of the people you will find providing support do so for 2.6/3.0 now.

 - There are large known security holes in 2.5 and early 2.6's.

 - There has been a lot more work done on bugfixing, speed, memory, and
disk usage optimisations across the 2.6 lifecycle.

 - The 2.6 has also had a fair bit of work done making the squid.conf more
usable. And the official config examples are now only provided in
2.6/3.0. Though its not entirely there yet.

Making the later 2.6 squid a better proposition than 2.5.

Amos

>
> Regards,
>
> Chris Mitchell
>
> On Fri, 30 Nov 2007, Amos Jeffries wrote:
>
>>>
>>> Greetings,
>>>
>>> Have a bit of a problem trying to get Squid authentication working
>>> against
>>> a Lotus Domino LDAP directory. The actual authentication part is OK, if
>>> I
>>> want everyone in my Domino directory to have access through Squid it is
>>> not a problem, the real issue arises when I try to filter it based on
>>> group membership.
>>>
>>> I have been through all the past mailing list articles in regards to
>>> this
>>> topic, and I've tried a whole bunch of different things, and I'm not
>>> having any luck (my LDAP skills are weak)
>>>
>>> Taking a step back, what I'm actually trying to acheive here is single
>>> sign on between IBM Websphere Portal 6.0 and Squid (2.5.STABLE3), so
>>> that
>>
>> Step 1) upgrade your squid to latest release. 2.5 is way obsolete.
>>
>>> after my users sign on to Portal, they are not prompted for their
>>> internet
>>> password when they try to visit external sites linked from the portal.
>>> Websphere is already using the Domino LDAP for user authentication, so
>>> I
>>> figured that getting the 2 apps authenticating from the same place is a
>>> good start.
>>>
>>> Please find below the relevent pieces of my current squid.conf, if
>>> anyone
>>> could shed any light as to what I'm doing incorrectly here, it would be
>>> greatly appreciated.
>>>
>>>
>>> --------------------------------------
>>>
>>> # TAG: auth_param
>>>
>>> auth_param basic program /usr/lib/squid/squid_ldap_auth -b "" -f uid=%s
>>> xx.xx.xx.xx
>>> --------------------------------------
>>> # TAG: external_acl_type
>>>
>>> external_acl_type inetusers %LOGIN /usr/lib/squid/squid_ldap_group -b
>>> ""
>>> -f "(&(cn=%g)(objectClass=groupOfNames)(member=%u))" -F
>>> "(&(uid=%s)(objectClass=Person))" xx.xx.xx.xx
>>> --------------------------------------
>>> # TAG: acl
>>>
>>> acl ldap_password proxy_auth required
>>> acl inet_users external inetusers ProxyUsers
>>> --------------------------------------
>>> # TAG: http_access
>>>
>>> http_access allow inet_users
>>> http_access allow localhost
>>> http_access deny all
>>> --------------------------------------
>>>
>>> I hope that this is enough information to show what it is that I am
>>> doing,
>>> I'm pretty sure those are all the relevent bits. Note that without the
>>> external ACL, the authentication works perfectly. I would like to
>>> restrict
>>> access to members of the LDAP group "ProxyUsers".
>>>
>>> I look forward to any assistance.
>>>
>>> Regards,
>>>
>>> Chris Mitchell
>>>
>>>
>>>
>>
>>
>
Received on Thu Nov 29 2007 - 18:21:16 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:03 MST