OPENLDAP + SQUID

solutions4it · August 26, 2008, 5:16pm

Personal Ola

am mounting a server with squid + ldap to put I am having some problems… mostrarai my scene so that let us can discover a solution…

Server 01: SAMBA PDC + LDAP
server 02: SQUID + DNS + APACHE

Scene:

I installed and I configured the samba + openldap perfectly… I register in cadastre users, I placed them you scheme in the domain all perfect one. server 2 the apache this a wonder and dns deciding internal and external name for meudominio.com. now I am creating a mechanism of autenticao of squid in the database openldap that this in servidor01. how much I try to execute the command below the console is thinking and thinking as if it had not found the server ldap.

squid_ldap_auth - v3 - ZZ - b " ou=Users, dc=meudominio, dc=com" - h 192.168.10.250 to admuser admpasswd

Squid is starting normally does not show errors nor when I execute the command… below the lines of referring mine squid.conf the authentication in ldap. external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group - ZZ - b " ou=Group, dc=meudominio, dc=com" - f " (& (objectclass=posixGroup) (cn=%a) (member=%v))" - B " ou=Users, dc=meudominio, dc=com" - F uid=" %s" 192.168.10.250 389

acl password proxy_auth REQUIRED
acl password_group eXternal ldap_group #grupos#
acl password_ eXternal ldap_group #grupos#
http_access allow password_group

I know that eh a common but necessary case not to make mine squid to legalize in balse openldap that this in another server…. e after this still I go to have that to also make postfix…. ehhehee… but this eh another subject …

Thanks since already all aid!

Ola pessoal estou montando um servidor com squid + ldap porem estou tendo alguns problemas… mostrarai meu cenário a fim de que possamos descobrir uma solucao…

Servidor 01: SAMBA PDC + LDAP
servidor 02: SQUID + DNS + APACHE

Cenario:

Instalei e configurei o samba + openldap perfeitamente… cadastro usuarios, coloquei as maquinas no dominio tudo perfeito.

o servidor 2 o apache esta uma maravilha e o dns resolvendo nome para meudominio.com interno e externo.

agora estou criando um mecanismo de autenticao do squid na base de dados openldap que esta no servidor01.

quanto tento executar o comando abaixo o console fica pensando e pensando como se nao tivesse encontrado o servidor ldap.

squid_ldap_auth -v3 -ZZ -b “ou=Users,dc=meudominio,dc=com” -h 192.168.10.250 admuser admpasswd

O squid está inicializando normalmente nao mostra erros nem quando executo o comando … o

abaixo as linhas do meu squid.conf referente a autenticacao no ldap.

external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -ZZ -b “ou=Group,dc=meudominio,dc=com” -f “(&(objectclass=posixGroup)(cn=%a)(member=%v))” -B “ou=Users,dc=meudominio,dc=com” -F uid="%s" 192.168.10.250 389

acl password proxy_auth REQUIRED
acl password_group external ldap_group #grupos#
acl password_ external ldap_group #grupos#

http_access allow password_group

Sei que nao eh um caso comum mas preciso fazer meu squid autenticar na balse openldap que esta em outro servidor… e apos isso ainda vou ter que fazer o postfix tambem… ehhehee… mas isso eh outro assunto…

Agradećo desde ja toda ajuda!!!

ken_yap · August 26, 2008, 11:53pm

# squid_ldap_auth - v3 - ZZ - b " ou=Users, dc=meudominio, dc=com" - h 192.168.10.250 to admuser admpasswd

Since LDAP is on another machine did you check that you have allowed port 389 incoming on that machine?

What about ldapsearch to that machine, does it work?

Also -h is discouraged these days, you should use -H ldap://192.168.10.250 instead, if the -H ldapurl option is supported.

solutions4it · August 27, 2008, 2:33pm

hi…

Yes … my ldap is another machine … but this connection is open for all clients in my network…

The ldap server received the connection but no pass… no view any error… aparently squid don’t get user to pass … but ldap server receive solicitation and verify user and pass…

how configure squid.conf with -H option ?

Thanks

ken_yap · August 27, 2008, 2:49pm

The -H option is in ldapsearch as preferred to -h. I’m assuming that squid_ldap_auth has that option also.

You could test squid_ldap_auth from the command line without squid, might save you some debugging time. IIRC it takes a username and a password on stdin (I don’t remember on separate lines or on the same line separated by space or what, but you can search for it) and prints out OK or ERR (I think) depending on whether the authentication succeeded.