[squid-users] Re: Squid Ldap Authenticators
Hi, Sorry, I pressed the send button by mistake ... We are having strange Squid troubles, at first, let me describe our setup: - 4 HP G6/G7 DL380 servers with 16CPUs and 28GB RAM with RHEL 5.4-5.8 64bit and Squid 3.1.12 (custom compiled) Squid Cache: Version 3.1.12 configure options: '--enable-ssl' '--enable-icap-client' '--sysconfdir=/etc/squid' '--enable-async-io' '--enable-snmp' '--enable-poll' '--with-maxfd=32768' '--enable-storeio=aufs' '--enable-removal-policies=heap,lru' '--enable-epoll' '--disable-ident-lookups' '--enable-truncate' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-default-user=squid' '--prefix=/opt/squid' '--enable-auth=basic digest ntlm negotiate' '-enable-negotiate-auth-helpers=squid_kerb_auth' --with-squid=/home/squid/squid-3.1.12 --enable-ltdl-convenience - Each server has two instances for kerberos/ntlm authentication and two instances for LDAP authentication (different customers) - we have a hardware loadbalancer which is balancing request for our kerberos-customers (4x2 instances) and ldap-customers (4x2 instances), each has a different IP address. - average load values are approx 0.5 (5min values) - approx 60RPS per instance (equally distributed - 16 * 60 = 960 RPS) - up to 150Mbit/s traffic per server - ICAP servers for content adaption (multiple servers with a hardware loadbalancer in front of it) From time to time we are having troubles with our Squid servers which may not be a problem related to Squid, I suspect an OS issue. Nevertheless, sometimes the servers don't respond to request (even SSH-requests) or logging in takes forever (reverse lookup failure?) or even worse, sometimes the server interface is just down (there is no indication of any problem at the switch port level). If we check the squidclient output, we can see some hanging ldap authenticators: squid@xlsqit01 /opt/squid/bin $ ./squidclient -h 10.122.125.23 cache_object://10.122.125.23/basicauthenticator HTTP/1.0 200 OK Server: squid/3.1.12 Mime-Version: 1.0 Date: Tue, 13 Mar 2012 13:34:07 GMT Content-Type: text/plain Expires: Tue, 13 Mar 2012 13:34:07 GMT Last-Modified: Tue, 13 Mar 2012 13:34:07 GMT X-Cache: MISS from xlsqip02_3 Via: 1.0 xlsqip02_3 (squid/3.1.12) Connection: close Basic Authenticator Statistics: program: /opt/squid/libexec/squid_ldap_auth number active: 20 of 20 (0 shutting down) requests sent: 13316 replies received: 13312 queue length: 0 avg service time: 4741 msec # FD PID # Requests Flags Time Offset Request 1 12 160382150 B 125.885 0 user1 pw1\n 2 24 16043 85 B 119.562 0 user2 pw2\n 3 32 16049 63 B13.639 0 user3 pw3\n 4 43 16055 21 B 116.143 0 user4 pw4\n 5 46 16059 12 189.002 0 (none) 6 50 16064 1 189.003 0 (none) 7 56 16069 2 0.079 0 (none) 8 60 16074 0 0.000 0 (none) 9 65 16079 0 0.000 0 (none) 10 86 16084 0 0.000 0 (none) 11 88 16095 0 0.000 0 (none) 12 90 16101 0 0.000 0 (none) 13 92 16117 0 0.000 0 (none) 14 95 16122 0 0.000 0 (none) 15 97 16130 0 0.000 0 (none) 16 99 16138 0 0.000 0 (none) 17 101 16144 0 0.000 0 (none) 18 104 16150 0 0.000 0 (none) 19 107 16162 0 0.000 0 (none) 20 109 16173 0 0.000 0 (none) Flags key: B = BUSY W = WRITING C = CLOSING S = SHUTDOWN PENDING 2012/03/13 03:00:04| Ready to serve requests. squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' Testing the ldap authentication at CLI level, it is working without any problems: root@xlsqip02 ~ #
Re: [squid-users] Re: Squid Ldap Authenticators
On 14.03.2012 03:54, guest01 wrote: Hi, Sorry, I pressed the send button by mistake ... We are having strange Squid troubles, at first, let me describe our setup: - 4 HP G6/G7 DL380 servers with 16CPUs and 28GB RAM with RHEL 5.4-5.8 64bit and Squid 3.1.12 (custom compiled) Squid Cache: Version 3.1.12 configure options: '--enable-ssl' '--enable-icap-client' '--sysconfdir=/etc/squid' '--enable-async-io' '--enable-snmp' '--enable-poll' '--with-maxfd=32768' '--enable-storeio=aufs' '--enable-removal-policies=heap,lru' '--enable-epoll' '--disable-ident-lookups' '--enable-truncate' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-default-user=squid' '--prefix=/opt/squid' '--enable-auth=basic digest ntlm negotiate' '-enable-negotiate-auth-helpers=squid_kerb_auth' --with-squid=/home/squid/squid-3.1.12 --enable-ltdl-convenience - Each server has two instances for kerberos/ntlm authentication and two instances for LDAP authentication (different customers) - we have a hardware loadbalancer which is balancing request for our kerberos-customers (4x2 instances) and ldap-customers (4x2 instances), each has a different IP address. - average load values are approx 0.5 (5min values) - approx 60RPS per instance (equally distributed - 16 * 60 = 960 RPS) - up to 150Mbit/s traffic per server - ICAP servers for content adaption (multiple servers with a hardware loadbalancer in front of it) From time to time we are having troubles with our Squid servers which may not be a problem related to Squid, I suspect an OS issue. Nevertheless, sometimes the servers don't respond to request (even SSH-requests) or logging in takes forever (reverse lookup failure?) or even worse, sometimes the server interface is just down (there is no indication of any problem at the switch port level). If we check the squidclient output, we can see some hanging ldap authenticators: squid@xlsqit01 /opt/squid/bin $ ./squidclient -h 10.122.125.23 cache_object://10.122.125.23/basicauthenticator HTTP/1.0 200 OK Server: squid/3.1.12 Mime-Version: 1.0 Date: Tue, 13 Mar 2012 13:34:07 GMT Content-Type: text/plain Expires: Tue, 13 Mar 2012 13:34:07 GMT Last-Modified: Tue, 13 Mar 2012 13:34:07 GMT X-Cache: MISS from xlsqip02_3 Via: 1.0 xlsqip02_3 (squid/3.1.12) Connection: close Basic Authenticator Statistics: program: /opt/squid/libexec/squid_ldap_auth number active: 20 of 20 (0 shutting down) requests sent: 13316 replies received: 13312 queue length: 0 avg service time: 4741 msec # FD PID # Requests Flags Time Offset Request 1 12 160382150 B 125.885 0 user1 pw1\n 2 24 16043 85 B 119.562 0 user2 pw2\n 3 32 16049 63 B13.639 0 user3 pw3\n 4 43 16055 21 B 116.143 0 user4 pw4\n 5 46 16059 12 189.002 0 (none) 6 50 16064 1 189.003 0 (none) 7 56 16069 2 0.079 0 (none) 8 60 16074 0 0.000 0 (none) 9 65 16079 0 0.000 0 (none) 10 86 16084 0 0.000 0 (none) 11 88 16095 0 0.000 0 (none) 12 90 16101 0 0.000 0 (none) 13 92 16117 0 0.000 0 (none) 14 95 16122 0 0.000 0 (none) 15 97 16130 0 0.000 0 (none) 16 99 16138 0 0.000 0 (none) 17 101 16144 0 0.000 0 (none) 18 104 16150 0 0.000 0 (none) 19 107 16162 0 0.000 0 (none) 20 109 16173 0 0.000 0 (none) Looks like you can save some resources by dropping that down to 10 helpers. But re-evaluate that after they are fixed in case the loading goes up after that. Flags key: B = BUSY W = WRITING C = CLOSING S = SHUTDOWN PENDING 2012/03/13 03:00:04| Ready to serve requests. squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server' squid_ldap_auth: WARNING,
[squid-users] RE: Squid + ldap +ssl Secure authentication
Thanks Henrik. I want to share some information here which would help someone. This is the exact command which did the trick for me. auth_param basic program /usr/lib/squid/squid_ldap_auth -b ou=yyy,dc=xxx,dc=com -H ldaps://ldapserver.domain.com:636 -v 3 -f uid=%s by running 'openssl s_client -connect ldap:636' I got to see the exact Common Name (CN) and had specify in the command like above. I got to see successful ldaps connections on my ldap server. Hopefully -Z is no more needed for me. Please correct me if I am wrong. To avoid sending plain text from browser to Squid proxy, I created a ssh tunnel using my putty(from localhost port 8080 to proxy:8080), And I specified localhost in the browser. This seems to be working fine, except that I need to keep the putty session open always. Obviously none of the users want to open a session on their desktop browser while browsing. Now I am exploring a way to create this ssh tunnel using some script which should not need any action from the end user. I appreciate if someone has some information to share with. Thanks, Best Regards, Bhagwan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Friday, June 15, 2007 3:36 PM To: Vootla, Bhagwan Cc: squid-users@squid-cache.org; [EMAIL PROTECTED] Subject: RE: Squid + ldap +ssl Secure authentication fre 2007-06-15 klockan 12:42 -0400 skrev Vootla, Bhagwan: Using -Z option still returns me Could not Activate TLS connection I also tried with -p 636, which does not return me anything . Somehow I need to implement this to meet the deadline (tomorrow). -Z is LDAPv3 STARTTLS on the normal LDAP port. To use the older LDAPv2 over SSL you need to use -H ldaps://servername/ Regards Henrik
[squid-users] RE: Squid + ldap +ssl Secure authentication
tis 2007-06-19 klockan 17:15 -0400 skrev Vootla, Bhagwan: by running 'openssl s_client -connect ldap:636' I got to see the exact Common Name (CN) and had specify in the command like above. I got to see successful ldaps connections on my ldap server. Hopefully -Z is no more needed for me. Please correct me if I am wrong. -Z is more modern than ldaps. But either method works. To avoid sending plain text from browser to Squid proxy, I created a ssh tunnel using my putty(from localhost port 8080 to proxy:8080), And I specified localhost in the browser. This seems to be working fine, except that I need to keep the putty session open always. I would use stunnel to set up an SSL wrapper between the client and Squid. If you have logon scripts it's just a matter of getting an stunnel setup, and starting it from the logon script. http://www.stunnel.org/ connecting to an https_port on Squid. this way you upgrade the browsers to be capable of SSL encrypting the proxy connections. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] RE: Squid + ldap +ssl Secure authentication
Thanks Henrik. I have the link created to my cert as you suggested. [EMAIL PROTECTED] cacerts]# ls -altr total 32 -rw-r--r-- 1 root root 4245 Jan 18 11:41 cert.pem drwxr-xr-x 2 root root 4096 Jan 18 11:42 . lrwxrwxrwx 1 root root8 Apr 24 16:57 9ac40248.0 - cert.pem drwxr-xr-x 3 root root 4096 Jun 15 12:22 .. [EMAIL PROTECTED] cacerts]# pwd /etc/openldap/cacerts Using -Z option still returns me Could not Activate TLS connection I also tried with -p 636, which does not return me anything . Somehow I need to implement this to meet the deadline (tomorrow). Can you/someone please help in configuring ? Fyi: I have the connectivity over 636 port to my ldap server from proxy server. Thanks a ton. Bhagwan -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, June 14, 2007 10:25 AM To: Vootla, Bhagwan Cc: squid-users@squid-cache.org; [EMAIL PROTECTED] Subject: Re: Squid + ldap +ssl Secure authentication tor 2007-06-14 klockan 07:47 -0400 skrev Vootla, Bhagwan: 1)I have read that SSL encryption can be achieved from proxy server to ldap server only. How can I achieve from browser to proxy server ? Squid has all the support that is needed on the proxy side of things for this, by using the https_port directive. However, there is no known browsers supporting SSL to proxies. 2)I created a cert in /etc/openldap/cacerts/cert.pem. How do I tell squid_ldap_auth to use this cert and encrypt the password. (my ldap server listens on 389,636 ports). By asking it to use TLS. I also tried with -Z option from the command line, But I get Could not Activate TLS connection Then it probably didn't find the CA certificate. /etc/openldap/cacers is an openssl hashed certificate directory. It's not sufficient to just place the certificate file there, it also needs to be named properly for OpenSSL to find it.. There is a tool somewhere which sets up symbolic links for the hashed certificate names, unfortunately I don't remember it's name. But the following should work: cd /etc/openldap/cacerts/ ln cert.pem `openssl x509 -in cert.pem -hash -noout`.0 Also make sure the file is world-readable. chmod a+r cert.pem Regards Henrik
[squid-users] RE: Squid + ldap +ssl Secure authentication
fre 2007-06-15 klockan 12:42 -0400 skrev Vootla, Bhagwan: Using -Z option still returns me Could not Activate TLS connection I also tried with -p 636, which does not return me anything . Somehow I need to implement this to meet the deadline (tomorrow). -Z is LDAPv3 STARTTLS on the normal LDAP port. To use the older LDAPv2 over SSL you need to use -H ldaps://servername/ Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Re: Squid + ldap +ssl Secure authentication
tor 2007-06-14 klockan 07:47 -0400 skrev Vootla, Bhagwan: 1)I have read that SSL encryption can be achieved from proxy server to ldap server only. How can I achieve from browser to proxy server ? Squid has all the support that is needed on the proxy side of things for this, by using the https_port directive. However, there is no known browsers supporting SSL to proxies. 2)I created a cert in /etc/openldap/cacerts/cert.pem. How do I tell squid_ldap_auth to use this cert and encrypt the password. (my ldap server listens on 389,636 ports). By asking it to use TLS. I also tried with -Z option from the command line, But I get Could not Activate TLS connection Then it probably didn't find the CA certificate. /etc/openldap/cacers is an openssl hashed certificate directory. It's not sufficient to just place the certificate file there, it also needs to be named properly for OpenSSL to find it.. There is a tool somewhere which sets up symbolic links for the hashed certificate names, unfortunately I don't remember it's name. But the following should work: cd /etc/openldap/cacerts/ ln cert.pem `openssl x509 -in cert.pem -hash -noout`.0 Also make sure the file is world-readable. chmod a+r cert.pem Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Re: Squid LDAP Digest
On Wed, 16 Nov 2005, Winfried Kuiper wrote: from http://www.squid-cache.org/mail-archive/squid-dev/200506/0031.html I know, there is a new digest authentication helper with ldap extension. Yes. So, is it now possible to make a secure communication between both, a) client-squidserver and b) squidserver-ldapserver? Sort of. We want to use a secure authentication (I like digest more than NTLM) at the squid proxy server for our students over WLAN. The proxy server then should be able to talk on a secure way to the Windows LDAP Server. Only works if you are willing to add a Digest HA1 attribute to each user having the Digest hashed password, or if you manage to provide Squid access to the plain text passwords stored in the directory. Neither is normally there in an ADS tree. But I don't like this solution, because I have to join the ADS tree. There are often problems in the ADS tree and I don't want to become a member of it. Your choice. Is the authentication helper found under http://www.squid-cache.org/cgi-bin/cvsweb.cgi/squid3/helpers/digest_auth/pas sword/ the solution for my problem? It is the helper you speak of above. But it does NOT allow Digest authentication to the Windows ADS passwords. Do you know another solution for me? My recommendation at the moment is to go for NTLM. Can I use it with squid-2.5.STABLE6-6.15? Yes, if you trust the Digest implementation there.. Where can I find more documentation for your new digest authentication helper? There is a man page included in the distribution, documenting most options. But you have to remember that this helper requires either a) Access to plain-text stored passwords or b) Access to pre-hashed Digest HA1 hashes of the users passwords. neither is normally stored in ADS. It is possible to configure ADS to store Reversibly encrypted passwords, and is a requirement for Microsoft Digest implementation. This however can not be used by Squid at this time due to lack of information from Microsoft on how to integrate Digest with ADS in a sensible manner. Do you know a good book about squid and authentication helper? The Squid book has some information. Not very much on Digest however. Regards Henrik
Re: [squid-users] Re: Squid-Ldap-Authentication Help
On Tue, 16 Sep 2003, saahil khanna wrote: hello sir!!! where can i find squid_ldap_auth manual. In the Squid source distribution next to the helper, or in /usr/local/squid/man/ after you have installed the helper. Regards Henrik
[squid-users] Re: Squid-Ldap-Authentication Help
On Saturday 06 September 2003 14.08, saahil khanna wrote: Can somebody guide me on how to set up squid with ldap authentication. See the squid_ldap_auth manual. Included in the Squid sources. For additional help please use the squid-users mainlinglist. The squid-faq address is for submissions of additions to the Squid FAQ. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Re: Squid/LDAP/eDirectory
On Tuesday 19 August 2003 07.03, [EMAIL PROTECTED] wrote: I am looking to have Squid 2.5 authenticate connection requests against a Novell eDirectory 8.62 server. A neat solution from my point of view is to configure Squid to use the supplied LDAP helper, across SSL. Which the supplied helper does just fine, and several people use this for Novell NDS integration via LDAP and I see no reason why it should nor work with eDirectory as well. Is there any reason why I should additionally look at PAM authentication? Are there any potential benefits over what I have described above? None I can see.. only complications.. PAM is mostly useful if you have the UNIX server already integrated into some authentication system and you want to use the same for Squid authentication. i.e. if the UNIX server where you run Squid is already fully integrated into your eDirectory domain, allowing login/pop3/imap etc using accounts from eDirectory then using the same setup via PAM for Squid may be appropriate. However, even then it is often preferable to use the native Squid helpers in favor of the PAM based helper if the native helpers can do the job. Regards Henrik
[squid-users] Re: Squid + LDAP
On Tuesday 19 August 2003 16.21, Arias, Sebastian Alejandro - (Ext Arg) wrote: Could you give me some help to use the squid_ldap_auth? ... -I tried with this before but I didn't succeed, that's why I'm using ldap_auth- CN=user name,OU=it,OU=sys,OU=user accounts,dc=ar,dc=domain,dc=com If all your users are direclty below ou=it then all you need is -u cn -b OU=it,OU=sys,OU=user accounts,dc=ar,dc=domain,dc=com Which will tell Squid that the users DN is always on the form cn=username,OU=it,OU=sys,OU=user accounts,dc=ar,dc=domain,dc=com If your users are distributed in multiple OUs then you need to search for the users DN with the -f argument, probably something like -b OU=user accounts,dc=ar,dc=domain,dc=com -f ((objectClass=Person)(CN=%s)) Other filters are possible, mainly depending on the structure of the user objects in your LDAP tree and what LDAP attribute you want to use for the login name. If you have further question regarding the squid_ldap_auth helper please use the squid-users mailinglist. Regards Henrik
[squid-users] Re: Squid + LDAP
On Friday 15 August 2003 17.43, Arias, Sebastian Alejandro - (Ext Arg) wrote: Henrik, I´m trying to implement LDAP authentication over SQUID, I´m using Squid Cache: Version 2.5.STABLE2. and I have some question about it. 1. How can I know if I must recompile the squid with an LDAP module? ... -I´m not compile the squid with an option tu support it, but I think that Squid support it by default-. You most likely don't need to recompile Squid, but you may need to install the LDAP helpers if those was not installed while you installed your Squid. To see which helpers was installed as part of your Squid installation see the libexec directory. 2. I was trying to test the ldap_auth script at the command prompt but I can´t get a succesfull results. I can not help you with the third-party ldap_auth helper as I have no experience from this helper. What I can help you with is the official squid_ldap_auth helper shipped with Squid. 3. And the last one, at the following lines I´m show you the args acl ldap proxy_auth REQUIRED acl ldap src 0.0.0.0/0.0.0.0 You can not combine two different acl types in the same acl name. If you need further help please use the squid-users mailinglist. Regards Henrik
Re: [squid-users] RE: squid ldap group auth question
On Wednesday 18 June 2003 00.58, Clark John wrote: ok simple question: if you define 2 groups on a remote ldap server can you use squid_ldap_group ONLY (properly configured) for authentication? No. squid_ldap_group only performs group based authorization not authentication. For authentication you need to use squid_ldap_auth. For both you need to use both helpers. They are activated from different sections in squid.conf. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
RE: [squid-users] RE: squid ldap group auth question
ok simple question: if you define 2 groups on a remote ldap server can you use squid_ldap_group ONLY (properly configured) for authentication? I have been asked to install Squid (2.5 stable 3) on our surfing proxies (Solaris 8) if I can complete a proof of concept in a test environment that will authenticate users to the internet via ldap. Basically, I need help on the use of the new squid binaries squid_ldap_auth and squid_ldap_group in the squid.conf file. On a remote ldap server I have set up 2 test users one in a group test-inet-allow and one in a group test-inet-deny. When I configure my browser with the IP # of the test squid box I am prompted to authenticate. However, the squid log always indicates that I have a binddn 'Invalid credentials' error. I believe I have a truly screwed up syntax for the above binaries in my squid.conf file. Any help would be appreciated or just point me in the right direction. Its possible I am also deficient in auxiliary acl and http_access definitions. Regards John Clark