Linux with squid, authenticating against ldap server

E

evolution

Well-Known Member
Joined
Jul 24, 2007
Messages
114
Reaction score
0
Location
Cape Town
Hi, well after several hours and hours of trying I'll need to ask for help! :confused:

Here's the deal:

Currently I'm setting up a linux machine with squid-cache. So I have the linux machine running ubuntu server 8, it's working well, the squid proxy works fine if I set it to allow all requests from the internal network. So I know all of that is working and my ubuntu server is cool in terms of its network settings and all of that.

Now...

Obviously this needs to change now so that users authenticate with the proxy, which gives me control over their internet usage. We have an OS X Server running OpenDirectory (LDAPv3) and I want users to authenticate with that server. So if a user belongs to the group 'internet' and they go to a website, then they have to authenticate with the proxy using their LDAP username and pass, once authenticated and they are part of the group 'internet' then they can browse and go mad.

The trouble though is the authentication part. Up to this point I've tried various things and none seem to work. In squid.conf I changed the basic_auth to /usr/lib/squid/ldap_auth. I know this requires a string that contains the factors involved with verifying the username & passwords.

Then comes the part with the ACLs and how to set that so that the proxy always requires authentication and will allow a user once he/she is authenticated.

Any idea?! Cause I'm out of ideas and luck.

This is the first line where I specify to use ldap_auth in squid.conf:
auth_param basic program /usr/lib/squid/ldap_auth -b "cn=users,dc=saect,dc=private" -f uid=%s -D "cn=saectproxy,cn=users,dc=saect,dc=private" -w "saectproxy" -h 10.0.0.2

Later on in the ACL section:
acl ldap proxy_auth REQUIRED

Further on under http access section:
http_access allow ldap

I based this on howto using PAM authentication...

It's obviously wrong as it's not working but I'm not sure where to look in order to figure out what is the problem.

Any help will be MUCH appreciated :D
 
Have you tried running that ldap_auth command just from the terminal rather than through squid to see what it returns? (I don't use squid so I am guessing that ldap_auth is an actual program that can be run from the command line)
 
apparently you can do that according to this one site, however when I try it nothing happens :(

if you do /usr/lib/squid/ldap_auth with that string it just 'hangs', doesnt give you any output and you have to break to return to commandline. What really bugs me is that on the LDAP server it shows no sign that something is trying to query it. If i use something like ldapsearch then it works and return info from the LDAP server. Which just indicate to me that I can query the ldap server just fine.
 
evolution said:
apparently you can do that according to this one site, however when I try it nothing happens :(

if you do /usr/lib/squid/ldap_auth with that string it just 'hangs', doesnt give you any output and you have to break to return to commandline. What really bugs me is that on the LDAP server it shows no sign that something is trying to query it. If i use something like ldapsearch then it works and return info from the LDAP server. Which just indicate to me that I can query the ldap server just fine.
Click to expand...

ldap_auth is probably waiting for you to pass it the info its meant to stick into the filter.

try piping an echo to it like so:
echo "username" | /usr/lib/squid/ldap_auth ...

Edit: actually don't pipe to it. It is waiting for a username and password to be entered at the command line. Enter the username then a single space then the password and press enter. It should now return a result.
 
Last edited:
Also make sure your ldap server allows protocol version 2 binds, or force ldap_auth to use version 3 with the -v 3 argument.
 
Check the squid log file if your ldap authentication process is starting. Do u specify how many processes to start in your squid config file?
 
I'm did a tail -f on all 3 of the squid log files and none of them actually show anything related to ldap authentication... there more than the 3 in /var/log/squid?

Ok, i followed this link...
http://www.cyberciti.biz/tips/howto-configure-squid-ldap-authentication.html

did exactly what they did, just adjusted things to my server details.

This is what i get when i type the following:
psrvadmin@saectproxy:~$ /usr/lib/squid/ldap_auth -b "dc=saectsrv,dc=saect,dc=private" -f "uid=%s" saectsrv.saect.private
saectproxy proxypass
ERR Success

It keeps returning ERR, even though the pass is correct, if i deliberately type the password wrong, then it also says ERR Success

*sigh*
 
This is how mine looks. Mine is for a Novell ldap server so the ldap looks a bit different. Also I specify a ldap user name and password to authenticate against the ldap server.

auth_param basic program /usr/sbin/squid_ldap_auth -b o=XXX -f "(&(&(objectClass=person)(cn=%s))(groupMembership=cn=Internet,o=XXXX))" -u cn -s sub -D cn=SQUIDLDAP,ou=SERVICES,ou=XXX,o=XXXX -w squid -h xx.xx.xx.xx
auth_param basic children 10
auth_param basic realm XXX proxy server
auth_param basic credentialsttl 2 hour
auth_param basic casesensitive off
acl password proxy_auth REQUIRED
http_access allow password all
http_access deny all
never_direct allow all
 
SUCCESS!!!!

Finally got this to work! icyrus your tip on -v 3 did the trick. When I had it in, my search base was wrong and I then stopped adding -v 3 thinking it didn't work lol ;)

I now have squid doing authenticated binding to the OpenDirectory LDAPv3 server, which is running OS X Server 10.5.4. All the usernames and things are working the way they should, now I just need to tweak it and get the group 'internet' to be part of the equation.

What a mission this was. Seeing as I'm not entirely clued up with everything linux and all.

Thanks again for that tip! One head-ache solved a few to go :P
 
New question. I'm having trouble combining two parts in the filter area. If I do a ldapsearch with -t "uid=jlinde" i get the required response, if i do the same and change it to -t "(&(objectClass=apple-group)(cn=internet)" I also get the required result.

How do I combine the two though? So that if the user belongs to the internet group, then it will allow the authentication when using ldap_auth?
 
yep, sorry didnt make that part very clear ;)

what i'm not so clear about is when I do a search on say jlinde, in the search result there are no fields that mention it's part of the group 'internet'. Is this normal? just wondering if its not maybe just OpenDirectory on OS X? if i search the group internet then it returns a field memberUid=jlinde
 
Last edited:
Just a question - Why not use the packaged squiddie / cache on the OSX server - It supports pretty tight integration with the OpenDirectory services out of the box AFAIK.

Although this was an informative thread :)
 
Last edited:
to my knowledge. os x 10.5 server only has apache proxy, which out of the box is half broken. if you configure it via Server Admin, it just doesn't work. apart from that I don't want to run a gazillion services on the same server. even though it's powerful hi-spec x-serve, it's just generally not good practice to have one machine doing file serving, caching, dns, iCal services, web services etc. Caching is pretty intensive on RAM from what i understand. which is why i'm opting to seperate it from the server.
 
this is so frustrating.... trying to get a user that is part of a group to authenticate. i have tried the above link and that doesnt work. tried a ton of variations and nothing. *sigh* anyone tried an authentication where a user must be part of a certain group, but using an OS X OpenDirectory LDAP server which you authenticate against?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X