Using LDAP authentication only on one cache_peer in Squid

EricTRA · 11-23-2009, 08:17 AM

Hello all,

I'm trying to configure Squid to ask for authentication using LDAP but ONLY on one cache_peer. Before I had it activated on all servers and it worked perfectly. All the other webservers however have their own authentication except this wiki.

This is what I have in my squid.conf in regards to this particular site.

Code:

cache_peer 172.25.XXX.XXX parent 80 0 no-query originserver name=wiki
acl site_wiki dstdomain wiki.tradisa.com
cache_peer_access wiki allow site_wiki
auth_param basic program /lib/squid3/squid_ldap_auth -R -b "dc=domain,dc=es" -D "cn=squid,cn=Users,dc=domain,dc=es" -w "ldapuser" -f sAMAccountName=%s -h 172.25.XXX.XXX
auth_param basic children 1
auth_param basic credentialsttl 5 minutes
cache_peer_access wiki deny all
acl wiki_users proxy_auth REQUIRED
cache_peer_access wiki allow wiki_users

however I go straight to the website without it asking for authentication.

LDAP authentication is working perfectly, it's just an error in my definition as stated above. I'm missing something but I cannot see it. Of course IPs and names have been changed before posting.

All help is greatly appreciated.

Kind regards,

Eric

EricTRA · 11-24-2009, 08:02 AM

Hi all,

Small update. With the help of the squid mailing list I got some things changed already. My peer config looks like this for the one that has to authenticate.

Code:

other peer definitions

cache_peer 172.25.XX.XX parent 80 0 no-query originserver name=wiki
auth_param basic program /lib/squid3/squid_ldap_auth -R -b
"dc=domain,dc=es" -D "cn=squid,cn=Users,dc=domain,dc=es" -w
"ldapuser" -f sAMAccountName=%s -h 172.25.XX.XXX
auth_param basic children 1
auth_param basic credentialsttl 5 minutes
acl site_wiki dstdomain wiki.domain.com
acl wiki_users proxy_auth REQUIRED
cache_peer_access wiki allow site_wiki
cache_peer_access wiki allow wiki_users

other peer definitions

http_access deny site_people CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow localhost
http_reply_access allow all
http_access allow wiki_users site_wiki
http_access allow all

Trouble is that now I get prompted for ALL the peers to pass the
credentials which is not what I want. I'm going nuts with this thing.
I know it has something to do with the sequence the lines are in but
cannot see the trees through the forest any more.

Any help is greatly appreciated.

Kind regards,

Eric

EricTRA · 11-27-2009, 01:09 AM

Hi guys and girls,

Is there really nobody who has an idea on this one?

<bump>

Kind regards,

Eric

EricTRA · 12-03-2009, 02:01 AM

Hi,

I've been looking all over Google for quite some time now without finding a solution. Is there anybody that can help me out on this one please?

Thanks in advance.

Kind regards,

Eric

slimm609 · 12-03-2009, 07:46 AM

Quote:

Originally Posted by EricTRA

Hi,

I've been looking all over Google for quite some time now without finding a solution. Is there anybody that can help me out on this one please?

Thanks in advance.

Kind regards,

Eric

You have an acl for wiki_user, manager, etc. but you are not declaring them before hand

Code:

other peer definitions

cache_peer 172.25.XX.XX parent 80 0 no-query originserver name=wiki
auth_param basic program /lib/squid3/squid_ldap_auth -R -b
"dc=domain,dc=es" -D "cn=squid,cn=Users,dc=domain,dc=es" -w
"ldapuser" -f sAMAccountName=%s -h 172.25.XX.XXX
auth_param basic children 1
auth_param basic credentialsttl 5 minutes
acl site_wiki dstdomain wiki.domain.com
acl wiki_users proxy_auth REQUIRED
cache_peer_access wiki allow site_wiki
cache_peer_access wiki allow wiki_users
acl ldap_manager ldap_auth static 'CN=Manager,OU=Users,dc=domain,dc=es'
acl ldap_wikiusers ldap_auth static 'CN=wiki_users,OU=Users,dc=domain,dc=es'

other peer definitions

http_access deny site_people CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow localhost
http_reply_access allow all
http_access allow wiki_users site_wiki
http_access allow all

EricTRA · 12-03-2009, 08:01 AM

Hello slimm609,

First of all let me thank you for replying. I just changed my config to include the line you pointed out but got an error:

Code:

Starting Squid HTTP Proxy 3.0: squid32009/12/03 13:56:01| aclParseAclLine: Invalid ACL type 'ldap_auth'

I cannot find anyting about a ldap_auth type in the documentation.

Kind regards,

Eric

slimm609 · 12-03-2009, 09:04 AM

Quote:

Originally Posted by EricTRA

Hello slimm609,

First of all let me thank you for replying. I just changed my config to include the line you pointed out but got an error:

Code:

Starting Squid HTTP Proxy 3.0: squid32009/12/03 13:56:01| aclParseAclLine: Invalid ACL type 'ldap_auth'

I cannot find anyting about a ldap_auth type in the documentation.

Kind regards,

Eric

I think there is an additional module for the ldap_auth to work. Sorry about that

check out this site. It looks pretty straight-forward.
http://workaround.org/squid-ldap

EricTRA · 12-03-2009, 10:00 AM

Thanks, I'll look into it tomorrow when I'm back in the office. I'll keep you up to date.

Kind regards,

Eric

EricTRA · 12-04-2009, 02:29 AM

Hello slimm609,

That's a No Go, I get the same result as before. I can activate the LDAP authentication and it's perfectly working. The problem I'm having is that when activated it gets applied to ALL the servers in the Squid configuration and I only want it to apply to the WIKI site.

All the other sites have their login page working with LDAP against our AD, but the WIKI shows all content at once. Since a lot of that content is private I prefer to authenticate before showing that site.

The other option is to create a login page for the wiki in order to have the same workflow as for the other servers/sites.

It appears to be impossible to just indicate to use the LDAP authentication on just one peer in the configuration. Looks like an all or nothing situation.

Any ideas are more then welcome.

Kind regards,

Eric