Re: [squid-users] Helpers and TLS over LDAP
Then I have noticed a very strange issue about the helper.
I am using Squid 2.5STABLE4 on Linux RedHat 9.0 without patches (I know
there is a patch about squid_ldap_group but the problem I have experienced
is about squid_ldap_auth).
I have compiled Squid enabling all the helpers for testing purposes.
My LDAP server is OpenLDAP 2.0.27-8 installed from RedHat 9.0 RPMs files.
I run the LDAP server in debug mode from command line as follows (everything
seems to be OK about TLS configuration):
slapd -d 1 -h ldap:/// ldaps:///
When I issue the command:
/usr/bin/ldapsearch -x -b 'ou=People,dc=tesi,dc=edu' -s sub
'(uis=myusername)' -D cn=BindUser,ou=People,dc=tesi,dc=edu -W -ZZ -h
myldap.test.edu
everything works fine (also with -Z instead of -ZZ it works of course): the
server asks for password, the authentication works and the communication is
encrypted.
Moreover if I use the helper from command line as follows:
/usr/local/squid/libexec/squid_ldap_auth -b ou=People,dc=tesi,dc=edu -f
uid=%s -s sub -D cn=BindUser,ou=People,dc=tesi,dc=edu -w
binduserpassword -h myldap.test.edu
and I write a username and the correct password I get OK from the helper,
that is to say it is working fine in plain text (of course I get ERR from
wrong username and/or password).
Now, if I simply add -Z to the former line:
/usr/local/squid/libexec/squid_ldap_auth -b ou=People,dc=tesi,dc=edu -f
uid=%s -s sub -D cn=BindUser,ou=People,dc=tesi,dc=edu -w
binduserpassword -Z -h myldap.test.edu
and I try and verify user credentials I get the error:
Could not Activate TLS connection
Is this a bug? Or maybe am I missing something in Squid or OpenLDAP?
The output from OpenLDAP debug mode is as follows:
##not working bind with squid_ldap_auth and -Z
connection_get(8): got connid=1
connection_read(8): checking for input on id=1
ber_get_next
ber_get_next on fd 8 failed errno=0 (Success) - this should
be the clue
connection_read(8): input error=-2 id=1, closing.
connection_closing: readying conn=1 sd=8 for close
connection_close: conn=1 sd=8
TLS trace: SSL3 alert write:warning:close notify
###
#working bind with ldapsearch -ZZ
connection_get(8): got connid=2
connection_read(8): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 62 contents:- This works
ber_get_next
ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({iat) ber:
ber_scanf fmt (o}) ber:
do_bind: version=3 dn=cn=BindUser,ou=People,dc=tesi,dc=edu method=128
I have omitted the beginning of the communication which is the same for both
cases.
Thank you in advance.
Antonio Manfreda
- Original Message -
From: Henrik Nordstrom [EMAIL PROTECTED]
To: Antonio Manfreda [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Sunday, January 04, 2004 12:20 AM
Subject: Re: [squid-users] Helpers and TLS over LDAP
On Sat, 3 Jan 2004, Antonio Manfreda wrote:
When using the -Z option do I need a client certificate for connection
between
the helper and the LDAP server, or the -Z option is the same as for
ldapsearch?
It is as for ldapsearch.
The client (the helper) requires the LDAP server to sort of authenticate
itself, and the communication is encrypted. However, please note however
that the helpers does not pay very much attention to the validity of the
server certificate.
Regards
Henrik
Re: [squid-users] Caching P2P
What you dont realize that that the majority of the traffic with p2p is *not* the downloads themselves but instead is the 100s of clients/servers contacting each other and exchanging directory information. The chatter is constant and unrelenting. Caching p2p content is problematic in more ways than one. A few movies will fill your cache. You'd have to either 1) discover which ports are in use as they are variable and random or 2) assume that every port *might* have content. In reality you'd be better off just running your own supernode on your network and have your customers/users connect to you. That effecitvely, is your cache. Of course you'll likely get sued, but its a better concept than a p2p cache. BC
Re: [squid-users] squid_ldap_auth + openldap
Hi Henrik, I've found the cause of the problem, thanks to the log file. I tried to login as [EMAIL PROTECTED] which makes squid looks for [EMAIL PROTECTED],ou=tld.com,o=vpop which, offcourse, doesn't exist. If I only use user1 without the domain, I can login fine. Henrik, do you know how I can use squid for multiple domain? I change my squid.conf into (remove the ou): auth_param basic program /usr/lib/squid/squid_ldap_auth -b o=vpop -h localhost Then I have to login as user1,ou=tld.com. Is there a way so I can login as [EMAIL PROTECTED]? I think modifying the squid_ldap_auth will do it, but is there any move convinient way? TIA, toblo - Original message - From: Henrik Nordstrom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 2 Jan 2004 11:35:21 +0100 (CET) Subject: Re: [squid-users] squid_ldap_auth + openldap On Fri, 2 Jan 2004 [EMAIL PROTECTED] wrote: o=vpop ou=tld.com uid=user1 uid=user2 The squid.conf has the following lines: auth_param basic program /usr/lib/squid/squid_ldap_auth -b ou=tld.com,o=vpop -h localhost -D cn=manager,o=vpop -w password Should work from what I can tell. The binddn/passwd (-D/-w) arguments are not needed in this setup. Can you bind to the user using ldapsearch? ldapsearch -x -D o=vpop,ou=tld.com,uid=user1 -W -b ou=tld.com,o=vpop Regards Henrik
Re: [squid-users] Caching P2P
No offense, but could you guys take this discussion out of this list please? It is interesting, but IMHO, it eally doesn't belong here. Thanks, Murrah Boswell [EMAIL PROTECTED] wrote: What you dont realize that that the majority of the traffic with p2p is *not* the downloads themselves but instead is the 100s of clients/servers contacting each other and exchanging directory information. The chatter is constant and unrelenting. Caching p2p content is problematic in more ways than one. A few movies will fill your cache. You'd have to either 1) discover which ports are in use as they are variable and random or 2) assume that every port *might* have content. In reality you'd be better off just running your own supernode on your network and have your customers/users connect to you. That effecitvely, is your cache. Of course you'll likely get sued, but its a better concept than a p2p cache. BC
[squid-users] Getting authenticated username with PHP ?
Hi, I have a squid cache that makes people authenticate... I'd like to set up PHP page that displays some information about the person logged in based on the username they are using.. I did a phpinfo() but the squid auth username doesn't appear in any global variables... How do I find out the username of the person viewing my php script? Is there any way to list all the users who are currently logged in ? Thanks, Andrew _ Get less junk mail with ninemsn Premium. Click here http://ninemsn.com.au/premium/landing.asp
Re: [squid-users] Getting authenticated username with PHP ?
Andrew, I have a squid cache that makes people authenticate... I'd like to set up PHP page that displays some information about the person logged in based on the username they are using.. I did a phpinfo() but the squid auth username doesn't appear in any global variables... That is because squid doesn't pass the authentication information to the web server (nor should it!). How do I find out the username of the person viewing my php script? You can't easily. Is there any way to list all the users who are currently logged in ? HTTP is a stateless protocol. Nobody is logged in, they just make requests. You could fake this by importing access log entries into a database and then searching for people who have made requests in the recent past (e.g. in the last five minutes). Matthew.
Re: [squid-users] Getting authenticated username with PHP ?
Hi Matthew, thanks for your response! That is because squid doesn't pass the authentication information to the web server (nor should it!). Squid passes IPs on... What would be wrong with a Squid conf option to pass the authenticated username on ? Anyone know of a patch? How do I find out the username of the person viewing my php script? You can't easily. Hmm it seemed like a pretty simple problem too ! Is there any way to list all the users who are currently logged in ? HTTP is a stateless protocol. Nobody is logged in, they just make requests. I'm sure you know about authenticate_ttl and all about the way squid caches auth detail so it doesn't have to keep bothering the client... It is stateful really - and that's also what PHP sessions and cookies are all about.. I guess i'm looking for a way to access Squid's internal session cache.. You could fake this by importing access log entries into a database and then searching for people who have made requests in the recent past (e.g. in the last five minutes). that sounds like too much work... anyone know a better way? I'm sure it's been done 1000 times .. Thanks, Andrew. _ Hot chart ringtones and polyphonics. Go to http://ninemsn.com.au/mobilemania/default.asp
