LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-06-2009, 11:11 AM   #1
linx win
Member
 
Registered: Jan 2004
Posts: 390

Rep: Reputation: 31
need help with squid_ldap_auth


I have a Debian 5.0 box. I installed Webmin 1.470, OpenLDAP 2.4.11 and Squid 2.7.

I migrated my system's groups and users to my Ldap server. In my ldap server, I created a new group and named it "Internet" under ou=Group,dc=example,dc=lan and gave it gidNumber 200, and made my user "acer" a member of this new group by changing the gidNumber attribute to the gidNumber of the newly created group.

Code:
# ldapsearch -x -b 'dc=example,dc=lan' 'cn=Internet'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=lan> with scope subtree
# filter: cn=Internet
# requesting: ALL
#

# Internet, Group, example.lan
dn: cn=Internet,ou=Group,dc=example,dc=lan
objectClass: posixGroup
objectClass: top
cn: Internet
gidNumber: 200

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
Code:
# # ldapsearch -x -b 'dc=example,dc=lan' 'uid=acer'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=lan> with scope subtree
# filter: uid=acer
# requesting: ALL
#

# acer, People, example.lan
dn: uid=acer,ou=People,dc=example,dc=lan
uid: acer
cn: acer Laptop
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uidNumber: 1003
homeDirectory: /home/acer
gecos: acer Laptop
loginShell: /bin/bash
gidNumber: 200

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
Then I tried the following command:

Code:
/usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "uid=%v" -h 192.168.0.1
acer Internet
OK
But, I noticed that it checks the user name only. If I put any thing after a valid user name it gives me OK also as shown below:

Code:
/usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "uid=%v" -h 192.168.0.1
acer in
OK
However, regardless of this issue , Squid started successfully with squid_ldap_group support. The following is from the cache.log:

Code:
helperOpenServers: Starting 5 'squid_ldap_group' processes
My squid.conf file includes the following:

Code:
external_acl_type LDAP_GROUPS %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "uid=%v" -h 192.168.0.1
acl ALLOWED_GROUPS external LDAP_GROUPS Internet
http_access allow ALLOWED_GROUPS
Now squid successfully stops all traffic thru the cache on the other PCs saying that authentication is required. However, it does the same even when I log into the other PC as user "acer" who is a member of the Internet group.

If I remove the following line from my squid.conf file, squid allows all traffic thru the cache:

Code:
http_access allow ALLOWED_GROUPS
Is this an ldap or squid_ldap_group issue? I wish some one help me as usual.
 
Old 05-07-2009, 04:51 AM   #2
linx win
Member
 
Registered: Jan 2004
Posts: 390

Original Poster
Rep: Reputation: 31
Update:

According to this howto, I have installed ldapscripts then I deleted the group "Internet", created a new group "Internet" and added the user "acer" to it as follows:

Code:
# ldapdeletegroup Internet
# ldapaddgroup Internet
# ldapaddusertogroup acer Internet
Then, I tried the ldapsearch command as follows:

Code:
# ldapsearch -x -b 'dc=example,dc=lan' 'cn=Internet'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=lan> with scope subtree
# filter: cn=Internet
# requesting: ALL
#

# Internet, Group, example.lan
dn: cn=Internet,ou=Group,dc=example,dc=lan
objectClass: posixGroup
cn: Internet
gidNumber: 65535
description: Group account
memberUid: acer

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
As shown above, now acer is a member of the group Internet as evidenced by "memberUid: acer". But still no success to get the group authenticated by squid using login credentials. This is what I get on the other PCs:

Code:
ERROR
Cache Access Denied

While trying to retrieve the URL: http://www.linuxquestions.org/questions/linux-server-73/need-help-with-squidldapauth-724159/

The following error was encountered:

    * Cache Access Denied. 

Sorry, you are not currently allowed to request:

    http://www.linuxquestions.org/questions/linux-server-73/need-help-with-squidldapauth-724159/

from this cache until you have authenticated yourself.

You need .....(squid/2.7.STABLE3)
I have no problem whatsoever using ldap_auth. Users get authenticated against their credentials available in the ldap server. But no success with squid_ldap_group yet. It seems to me it is a filter issue. Any idea is appreciated?

Last edited by linx win; 05-07-2009 at 05:06 AM.
 
Old 05-07-2009, 10:38 AM   #3
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 51
Quote:
external_acl_type LDAP_GROUPS %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "uid=%v" -h 192.168.0.1
The issue is with your filter. If you check against uid, squid-ldap_group will always check the username bit only. Try using:
-f "cn=%g" instead
 
Old 05-07-2009, 04:17 PM   #4
linx win
Member
 
Registered: Jan 2004
Posts: 390

Original Poster
Rep: Reputation: 31
Thanks for hint. I changed the filter to "cn=%g" as you suggested. Accordingly, the "squid_ldap_group" started to check for the group only. So whenever I pass any user name (even non valid names) It will give OK.

Code:
# /usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "(cn=%g)" -h 192.168.0.1
george Internet
OK
geo Internet
OK
george Inter
ERR
As you can see above, it says OK for user geo but my system and ldap server has no such user. So I added the memberUid attribute to the filter you suggested as follows:

Code:
# /usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "(&(cn=%g)(memberUid=%u))" -h 192.168.0.1
and started to act correctly as follows:

Code:
# /usr/lib/squid/squid_ldap_group -v 3 -b "dc=example,dc=lan" -D "cn=admin,dc=example,dc=lan" -w 123456 -f "(&(cn=%g)(memberUid=%u))" -h 192.168.0.1
george Internet
OK
geo Internet
ERR
george Inter
ERR
acer Internet
OK
ac Internet
ERR
Now, it works perfectly. Thanks again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid + squid_ldap_auth looping lucianosousa Linux - Networking 1 04-03-2009 06:27 AM
squid_ldap_auth with ADS ksri07091983 Linux - Server 1 12-26-2007 07:20 PM
Squid + Active Directory "squid_ldap_auth " RedCamel Linux - Software 1 12-24-2007 04:01 AM
squid_ldap_auth niranjan_mr Linux - Software 1 07-28-2005 11:16 AM
MNF 8.2 and squid_ldap_auth with openldap v3 outburst Mandriva 0 04-30-2004 06:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration