LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   need help with squid_ldap_auth (https://www.linuxquestions.org/questions/linux-server-73/need-help-with-squid_ldap_auth-724159/)

linx win 05-06-2009 11:11 AM

need help with squid_ldap_auth
 
I have a Debian 5.0 box. I installed Webmin 1.470, OpenLDAP 2.4.11 and Squid 2.7.

I migrated my system's groups and users to my Ldap server. In my ldap server, I created a new group and named it "Internet" under ou=Group,dc=example,dc=lan and gave it gidNumber 200, and made my user "acer" a member of this new group by changing the gidNumber attribute to the gidNumber of the newly created group.

Code:

# ldapsearch -x -b 'dc=example,dc=lan' 'cn=Internet'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=lan> with scope subtree
# filter: cn=Internet
# requesting: ALL
#

# Internet, Group, example.lan
dn: cn=Internet,ou=Group,dc=example,dc=lan
objectClass: posixGroup
objectClass: top
cn: Internet
gidNumber: 200

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Code:

# # ldapsearch -x -b 'dc=example,dc=lan' 'uid=acer'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=lan> with scope subtree
# filter: uid=acer
# requesting: ALL
#

# acer, People, example.lan
dn: uid=acer,ou=People,dc=example,dc=lan
uid: acer
cn: acer Laptop
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uidNumber: 1003
homeDirectory: /home/acer
gecos: acer Laptop
loginShell: /bin/bash
gidNumber: 200

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Then I tried the following command:

Code:

/usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "uid=%v" -h 192.168.0.1
acer Internet
OK

But, I noticed that it checks the user name only. If I put any thing after a valid user name it gives me OK also as shown below:

Code:

/usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "uid=%v" -h 192.168.0.1
acer in
OK

However, regardless of this issue , Squid started successfully with squid_ldap_group support. The following is from the cache.log:

Code:

helperOpenServers: Starting 5 'squid_ldap_group' processes
My squid.conf file includes the following:

Code:

external_acl_type LDAP_GROUPS %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "uid=%v" -h 192.168.0.1
acl ALLOWED_GROUPS external LDAP_GROUPS Internet
http_access allow ALLOWED_GROUPS

Now squid successfully stops all traffic thru the cache on the other PCs saying that authentication is required. However, it does the same even when I log into the other PC as user "acer" who is a member of the Internet group.

If I remove the following line from my squid.conf file, squid allows all traffic thru the cache:

Code:

http_access allow ALLOWED_GROUPS
Is this an ldap or squid_ldap_group issue? I wish some one help me as usual.

linx win 05-07-2009 04:51 AM

Update:

According to this howto, I have installed ldapscripts then I deleted the group "Internet", created a new group "Internet" and added the user "acer" to it as follows:

Code:

# ldapdeletegroup Internet
# ldapaddgroup Internet
# ldapaddusertogroup acer Internet

Then, I tried the ldapsearch command as follows:

Code:

# ldapsearch -x -b 'dc=example,dc=lan' 'cn=Internet'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=lan> with scope subtree
# filter: cn=Internet
# requesting: ALL
#

# Internet, Group, example.lan
dn: cn=Internet,ou=Group,dc=example,dc=lan
objectClass: posixGroup
cn: Internet
gidNumber: 65535
description: Group account
memberUid: acer

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

As shown above, now acer is a member of the group Internet as evidenced by "memberUid: acer". But still no success to get the group authenticated by squid using login credentials. This is what I get on the other PCs:

Code:

ERROR
Cache Access Denied

While trying to retrieve the URL: http://www.linuxquestions.org/questions/linux-server-73/need-help-with-squidldapauth-724159/

The following error was encountered:

    * Cache Access Denied.

Sorry, you are not currently allowed to request:

    http://www.linuxquestions.org/questions/linux-server-73/need-help-with-squidldapauth-724159/

from this cache until you have authenticated yourself.

You need .....(squid/2.7.STABLE3)

I have no problem whatsoever using ldap_auth. Users get authenticated against their credentials available in the ldap server. But no success with squid_ldap_group yet. It seems to me it is a filter issue. Any idea is appreciated?

chitambira 05-07-2009 10:38 AM

Quote:

external_acl_type LDAP_GROUPS %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "uid=%v" -h 192.168.0.1
The issue is with your filter. If you check against uid, squid-ldap_group will always check the username bit only. Try using:
-f "cn=%g" instead

linx win 05-07-2009 04:17 PM

Thanks for hint. I changed the filter to "cn=%g" as you suggested. Accordingly, the "squid_ldap_group" started to check for the group only. So whenever I pass any user name (even non valid names) It will give OK.

Code:

# /usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "(cn=%g)" -h 192.168.0.1
george Internet
OK
geo Internet
OK
george Inter
ERR

As you can see above, it says OK for user geo but my system and ldap server has no such user. So I added the memberUid attribute to the filter you suggested as follows:

Code:

# /usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "(&(cn=%g)(memberUid=%u))" -h 192.168.0.1
and started to act correctly as follows:

Code:

# /usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "(&(cn=%g)(memberUid=%u))" -h 192.168.0.1
george Internet
OK
geo Internet
ERR
george Inter
ERR
acer Internet
OK
ac Internet
ERR

Now, it works perfectly. Thanks again.


All times are GMT -5. The time now is 12:11 AM.