Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[squid-users] ldap

2 views
Skip to first unread message

Tomas Palfi

unread,
Dec 19, 2002, 8:35:26 AM12/19/02
to
to all,

i'm trying to configure ldap on squid-2.5STABLE1-20021212 to validate users
from active dir on win2000 server, and i'm a bit stuck with the squid.conf
configuration. i'm not having a good time with it, please point me in the
sensible direction of how to test ldap manually from command line and could
you also indicate what acl lines i need in the squid.conf file. (i've been
through the squid_ldap_auth.8 help file as there are references for the
active dir authentication but not success so far).

when parsing the squid.conf file on start, the ldap is unrecongnized. do i
need to enable basic authentication for ldap to work?

thanks tomas

--
end

________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________

Tomas Palfi

unread,
Dec 19, 2002, 10:02:35 AM12/19/02
to
it seems to me that running squid on sol7 and making it talk to active dirs
on win2000 via ldap must be the strangest thing to do. i didn't get any
response?? and am really stuck with this.

Dan Cave

unread,
Dec 19, 2002, 10:25:50 AM12/19/02
to
Thomas,

I believe that you need to compile basic ldap support into squid using the
following

compile --enable-ldap --enable-ldap-authentication {config to that sort of
thing.. my net access is down atm, so you'll need to check the faq/howto }

There is more relevant information in the squid faq...

Also, it might help if you can do basic ldap authentication using the
openldap "ldapsearch" tool

ldapsearch -h ldapserver "userx"
{{{ returns ldap user information }}}

Then again, knowing MS Active directory, it might barf up.. I know a few ppl
who've had auth problems with active directory...

Dan.

Henrik Nordstrom

unread,
Dec 19, 2002, 1:04:22 PM12/19/02
to
The ldap authentication helper is a basic authentication scheme
helper.


auth_param basic program /path/to/squid_ldap_auth ...


As for testing: All basic scheme auth helpers can be tested in the
same manner. Just fire up the helper with the correct command line
arguments as documented in the documentation to the specific helper
and then type

username <space> password <enter>

If successful the helper will respond with OK, else with ERR.

Regards
Henrik

Henrik Nordstrom

unread,
Dec 19, 2002, 1:13:26 PM12/19/02
to
On Thursday 19 December 2002 15.55, Dan Cave wrote:

> I believe that you need to compile basic ldap support into squid
> using the following
>
> compile --enable-ldap --enable-ldap-authentication {config to that
> sort of thing.. my net access is down atm, so you'll need to check
> the faq/howto }

No, the LDAP auth helper is a basic scheme helper, and the LDAP group
helper is an external_acl helper.

Squid configure directives:


--enable-auth=basic (the default unless you sepecify something else)

--enable-basic-auth-helpers="LDAP"

--enable-external-acl-helpers="ldap_group"


squid.conf directives


auth_param basic program /usr/local/squid/libexec/squid_ldap_auth ....
auth_param basic ... [as in the default squid.conf, modify to suit
your needs]

external_acl_type LDAP_group %LOGIN
/usr/local/squid/libexec/squid_ldap_group ....

acl ldap_group_1 external LDAP_group a_ldap_group_name

Note: as with most acl types in Squid you can list multiple group
names in a "external LDAP_group acl"


> ldapsearch -h ldapserver "userx"
> {{{ returns ldap user information }}}
>
> Then again, knowing MS Active directory, it might barf up.. I know
> a few ppl who've had auth problems with active directory...

My tests with MSAD has been quite reliable using LDAP.

However, you might need to specify a valid account to be allowed to
perform searches. See the LDAP helpers documentation.


Regards
Henrik

Tomas Palfi

unread,
Dec 20, 2002, 9:50:43 AM12/20/02
to
to all,

could you have a look at this one please. this is the result of a ldap
command line test. compilation and installation of squid was ok, these lib
files are in the file system /usr/local/lib/ before squid installation i
installed openldap and the correct libraries and the permissions are 755 on
the sym links and the actual files.


./squid_ldap_auth -u cn -b cn=Users,dc=our,dc=domain ldap-server-name
ld.so.1: ./squid_ldap_auth: fatal: libldap.so.2: open failed: No such file
or directory
Killed

i have tried the same with another installation of squid that is located in
it's default dir [/usr/local/squid] and the same problem persists.

thank you

Tomas Palfi

unread,
Dec 20, 2002, 10:34:57 AM12/20/02
to
alexandre and all,

my appologies i should have been more explicit. it's stable squid
installation squid-2.5STABLE1-20021212 on solaris sparc 7. i have previously
installed openldap with these options disabled --disable-ldbm
--disable-slapd

i'm running squid on two servers and only lately i needed to configure ldap
to talk to our win2000 servers - and believe it or not i'm still at it.
henrik help me a lot last night and you all, but still this is something i
can't debug myself.

./squid_ldap_auth -u cn -b cn=Users,dc=our,dc=domain ldap-server-name
ld.so.1: ./squid_ldap_auth: fatal: libldap.so.2: open failed: No such file
or directory
Killed

i seem to be getting there step by step (or rather mail by mail to the squid
group) thank you all for help

tomas

-----Original Message-----
From: Alexandre [mailto:asau...@fazenda.sp.gov.br]
Sent: 20 December 2002 15:10
To: Tomas Palfi
Subject: Re: [squid-users] ldap


hi Tomas
you need to have a libldap.so.2 in your system !
install the openldap package tha this problem is go away
what O.S you have
Linux, Solaris, ... ... ... ?

0 new messages