Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs

[Verwaiser]

Hello Fred,

as written above, I inserted the statements:

> Ok, I tried to insert a the acl in auth_param block as you described:
>
> acl pdfdoc dstdomain webgate.ec.europa.eu
> http_access allow password !pdfdoc   #replacing  http_access
> allow password
> http_access allow pdfdoc

no success



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-with-LDAP-authentication-bypass-selected-URLs-tp4676689p4676867.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs

[FredB]

> 
> auth_param basic program /usr/sbin/squid_ldap_auth -b T=MYDOMAIN -f
> "uid=%s"
> -s sub -h 192.168.1.1 acl password
> auth_param basic children 10
> auth_param basic realm Internetzugang im VERWALTUNGSNETZ FAL-BK:
> Bitte mit
> den Daten aus diesem Netzwerk anmelden!
> acl password proxy_auth REQUIRED
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off

> http_access allow password -->  http_access allow password !my acl 
> should be here, with the right acl just before

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs

[Verwaiser]

Hello Fred,
thank you for your help!

Ok, I tried to insert a the acl in auth_param block as you described:

acl pdfdoc dstdomain webgate.ec.europa.eu
http_access allow password !pdfdoc
http_access allow pdfdoc

but no success was shown using the pdf-doc.
Then: Testing access to webgate.ec.europa.eu in browser squid asked me for a
password as usual.




Here my squid.conf in actual state (the file w7akt has some adresses for
novell and for w7-activation):

## Start

acl alle src 0.0.0.0/0.0.0.0
acl w7aktivierung dstdomain "/etc/squid/w7akt"
http_access allow w7aktivierung alle

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
acl wuCONNECT dstdomain novell.com
acl wuCONNECT dstdomain docs.live.net
acl wuCONNECT dstdomain d.docs.live.net

acl port_443 port 443
http_access allow CONNECT port_443

http_access allow CONNECT wuCONNECT

auth_param basic program /usr/sbin/squid_ldap_auth -b T=MYDOMAIN -f "uid=%s"
-s sub -h 192.168.1.1 acl password
auth_param basic children 10
auth_param basic realm Internetzugang im VERWALTUNGSNETZ FAL-BK: Bitte mit
den Daten aus diesem Netzwerk anmelden!
acl password proxy_auth REQUIRED
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
http_access allow password

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

acl localnet src 192.168.1.0/23 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl QUERY urlpath_regex cgi-bin \?
no_cache deny query
acl FILE_MP3 urlpath_regex -i \.mp3$
http_access deny FILE_MP3

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnet
http_access allow localhost

http_access deny all

icp_access allow localnet
icp_access deny all

http_port 192.168.1.7:8080

hierarchy_stoplist cgi-bin ?
cache_mem 32 MB
cache_dir ufs /var/cache/squid 100 16 256
logformat combined %>a %ul %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
log_fqdn on
ftp_user sq...@my-domainname.de
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr adm...@my-domainname.de
visible_hostname proxy.my-domainname.de
coredump_dir /var/cache/squid

## End 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-with-LDAP-authentication-bypass-selected-URLs-tp4676689p4676838.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs

[FredB]

I guess you have an acl with proxy_auth ?
Something like acl ldapauth proxy_auth REQUIRED ?

So you can just add http_access allow ldapauth !pdfdoc and perhaps http_access 
allow pdfdoc after

Fred

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid with LDAP-authentication: bypass selected URLs

[Verwaiser]

Hello,
we use user-authentication using a LDAP server. 
We want to use a pdf - document which connects to an internet address
(europa.eu) for a kind of examination. The pdf doesnt ask for
proxy-authentification, so I tried to go around squid using ACLs like:

acl alle src 0.0.0.0/0.0.0.0
acl pdfdoc dstdomain "/etc/squid/urlListe"
http_access allow pdfdoc alle

with entries "europa.eu" and "*.europa.eu" and some more in the file
urlListe 

Also I tried:

acl CONNECT method CONNECT
acl wuCONNECT dstdomain webgate.ec.europa.eu
http_access allow CONNECT wuCONNECT

The result is allways the same: The Acrobat Reader tells "connection
failed".


In access.log I find:
192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
HTTP/1.1" 407 2066 "-" "Microsoft-CryptoAPI/6.1" TCP_DENI
ED:NONE
192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET
http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAURO8EJH
HTTP/1
.1" 407 2219 "-" "Microsoft-CryptoAPI/6.1" TCP_DENIED:NONE
192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET
http://crl.globalsign.net/root.crl HTTP/1.1" 407 1889 "-"
"Microsoft-CryptoAPI/6.1" TCP_DENIED:NONE
192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET
http://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPMEBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhiMXAk3Q
3QqEElr8w7e7kcA%3D%3D HTTP/1.1" 407 2303 "-" "Microsoft-CryptoAPI/6.1"
TCP_DENIED:NONE
192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET
http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl HTTP/1.1" 407 1955
"-" "Microsoft-CryptoAPI/6.1" TCP_DENIED:NONE
192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "CONNECT
webgate.ec.europa.eu:443 HTTP/1.0" 200 3154 "-" "Mozilla/3.0 (compatible;
Acrobat 5.0; Windows)" TCP_MISS:DIRECT

Any idea if I can do something using squid.conf to establish connection?

Holger

PS: Using "internet at home" without squid the pdf-document works well.




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-with-LDAP-authentication-bypass-selected-URLs-tp4676689.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.1 ldap authentication

[Eliezer Croitoru]

Just to update the thread.

A basic CLI test showed it's not an issue related to anything in the 
LDAP helpers or settings.
The issue was IPV6 network level issue, there was a default gateway but 
for some unknown reason there was no IPV6 connectivity.
The test host could be any host with both IPV6 and IPV4 dns records that 
has at-least one IPV6 record. Due to request_start_timeout default of 5 
minutes the site took about 5 minutes to show up after the IPV6 try was 
timed out.
The basic way to test it is running a simple script on the host machine 
that will test IPV6 connectivity. The right way to do that should be 
using a basic IPV6 ping like this script:

- http://paste.ngtech.co.il/pxizenek2
- http://ngtech.co.il/squid/ipv6_test.sh

But since it is known that opening the whole IPV6 ICMP protocol in 
FireWalls opens network vulnerabilities it is commonly disabled(while it 
be opened properly) and there for makes it's an issue to test IPV6 
connectivity based only on ICMP.


Example ip6tables ICMPv6 rules that will allow a router to pass a basic 
ping6 test:
ip6tables -A FORWARD -p icmpv6 --icmpv6-type destination-unreachable -j 
ACCEPT

ip6tables -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j DROP

Later I will upgrade the script to test tcp\http level connectivity so 
it will be more useful as a debugging tool.


* http://www.squid-cache.org/Doc/config/request_start_timeout/
* https://www.cert.org/downloads/IPv6/ip6tables_rules.txt
* https://www.sixxs.net/wiki/IPv6_Firewalling

On 29/01/2016 03:50, Nando Mendonca wrote:

Thanks! I ran tcpdump, didnt really notice anything. Any other suggesstions?

Thanks,
Nando


On Jan 25, 2016, at 10:07 AM, Anders Gustafsson  
wrote:

Do a packet trace on the LDAP connection. I bet the delay happens there. Also: 
I suspect that it might do the same LDAP lookup for EVERY HTTP session of which 
there might be thousands for a complex page.



nando mendonca  2016-01-25 17:52 >>>

I'm running squid 3.5.12, i'm using ldap for authentication. When trying to
browse the internet from clients it takes up to 10 minutes for the website
to load. Can you please assist me in troubleshooting what the issue is?
Below is my squid.conf file.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.1 ldap authentication

[Eliezer Croitoru]

  
  
Hey Nando,
  
  Can you test something?
  On 25/01/2016 17:52, nando mendonca wrote:


  external_acl_type

ldap_group %LOGIN /usr/local/squid1/libexec/ext_ldap_group_acl
-R -b "ou=groups,dc=gcsldap,dc=corp,dc=domain,dc=com" -D
"cn=cost,ou=admin,dc=gcsldap,dc=corp,dc=domain,dc=com" -f
"(&(memberuid=%u) (cn=%a))" -w password -h ldap.corp.domain.com
  
  


In the above replace the "%LOGIN" with "%un"  and see what
  happens.
The differences are mentioned at:
  http://www.squid-cache.org/Doc/config/external_acl_type/
  
Also comparing your command to what I have tested with I see
something different.
My test command can be seen in this ML thread: 
-
http://lists.squid-cache.org/pipermail/squid-users/2015-July/004874.html
I do not have the executable in my hands so I don't know the meaning
of  the "-R" flag and compared to the command I have used it's
different.
  
Try the above and we will see the results,
Eliezer

  

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.1 ldap authentication

[nando mendonca]

Hi All,

I'm running squid 3.5.12, i'm using ldap for authentication. When trying to
browse the internet from clients it takes up to 10 minutes for the website
to load. Can you please assist me in troubleshooting what the issue is?
Below is my squid.conf file.




cache_mem 1048 MB

cache_log /usr/local/squid1/var/logs/cache.log

cache_swap_high 95

cache_swap_low 90

dns_nameservers x.x.x.x



#acl manager proto cache_object

#acl localhost src 127.0.0.1/32 ::1

#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1


# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

#acl localnet src 10.0.0.0/8# RFC1918 possible internal network

#acl localnet src x.x.x.x.0/24

#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

#acl localnet src 192.168.0.0/16# RFC1918 possible internal network

#acl localnet src fc00::/7   # RFC 4193 local private network range

#acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines


## Ports to allow:

acl Safe_ports port 443 # https

acl Safe_ports port 80  # http

acl Safe_ports port 8080

#acl Safe_ports port 21 # ftp

#acl Safe_ports port 70 # gopher

#acl Safe_ports port 210# wais

#acl Safe_ports port 1025-65535 # unregistered ports

#acl Safe_ports port 280# http-mgmt

#acl Safe_ports port 488# gss-http

#acl Safe_ports port 591# filemaker

#acl Safe_ports port 777# multiling http


## CONNECT method:

#acl CONNECT method CONNECT


## LDAP Authentication ##

auth_param basic program /usr/local/squid1/libexec/basic_ldap_auth -b
"dc=ldap,dc=corp,dc=domain,dc=com" -f "uid=%s" ldapserv.corp.domain.com

auth_param basic children 5

#auth_param basic realm Web-Proxy

auth_param basic credentialsttl 30 minutes

acl ldap-auth proxy_auth REQUIRED


## Visible Hostname ##

visible_hostname proxy-01



external_acl_type ldap_group %LOGIN
/usr/local/squid1/libexec/ext_ldap_group_acl -R -b
"ou=groups,dc=gcsldap,dc=corp,dc=domain,dc=com" -D
"cn=cost,ou=admin,dc=gcsldap,dc=corp,dc=domain,dc=com" -f "(&(memberuid=%u)
(cn=%a))" -w password -h ldap.corp.domain.com



#external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R
-b "ou=groups,dc=mydomain,dc=net" -D "cn=root,dc=mydomain,dc=net" -f
"(&(sn=%u) (cn=%a))" -w password -h localhost


#http_access allow ldap-auth


## ACL's for group checking ##


acl yumrepo external ldap_group yumrepo

acl winupdate external ldap_group winupdate

acl network-update external ldap_group network-update


## ACL's for url domains ##


acl rule1 url_regex -i "/usr/local/squid1/etc/allowed/yumrepo/domains"

acl rule2 url_regex -i "/usr/local/squid1/etc/allowed/winupdate/domains"

acl rule3 url_regex -i
"/usr/local/squid1/etc/allowed/network-update/domains"



# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager


# Deny requests to certain unsafe ports

http_access deny !Safe_ports


# Deny CONNECT to other than secure SSL ports

#http_access deny CONNECT !SSL_ports


# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

http_access deny to_localhost


#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#


# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

#http_access allow localnet

#http_access allow localhost


http_access allow rule1 ldap-auth yumrepo

http_access allow rule2 ldap-auth winupdate

http_access allow rule3 ldap-auth network-update


# And finally deny all other access to this proxy

#http_access deny all


# Squid normally listens to port 3128

http_port 8080


# Uncomment and adjust the following to add a disk cache directory.

maximum_object_size 1000 MB

cache_dir ufs /var/spool/squid 1000 16 256


# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid




# Add any of your own refresh_pattern entries above these.

#refresh_pattern ^ftp:  144020% 10080

#refresh_pattern ^gopher:   14400%  1440

#refresh_pattern -i (/cgi-bin/|\?) 00%  0

#refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
432000 override-expire override-lastmod ignore-no-cache ignore-no-store
ignore-private

#refresh_pattern -i .(deb|rpm|exe|zip|tar|tgz|bz2|ram|rar|bin)$  129600
100% 129600 override-expire ignore-no-cache ignore-no-store


refresh_pattern .   0   20% 4320

debug_options ALL,1 33,2 28,9






























































On Wed, Oct 7, 2015 at 12:18 PM, nando mendonca 
wrote:

> Hi,
>
> I have squid 3.1 

Re: [squid-users] Squid 3.5.10 ldap helpers can't "reconfigure"

[Amos Jeffries]

On 6/11/2015 5:21 a.m., Fabio Almeida wrote:
> Hi folks,
> 
> I have and Squid 3.5.10 instance that I can't reconfigure, it crashes if
> there's many spawned ldap helpers.
> But, if there's not many people connect it reconfigure normal as expected.
> 
> It's running on a FreeBSD 10.1-RELEASE-p19 amd64 with the following

> There's a total of 439 ldap group helpers enabled.

Why so many? external ACL lookups are both merged and cached, so this
many helpers suggests an overly complex configuration.


> For user's authentication there's 127 helpers enabled.
> 
> It works as expected, except when um run "squid -k reconfigure", it crashes.
> 
> Is there a 'magical' total number of helpers it can manage?

Depends on exactly why the crash happens.


I suspect it is issues inherent in fork(). The machine needs lots of
virtual memory capacity to run helpers. Not actual memory, or swap space
just virtual memory capacity.

On reconfigure it comes out at something like (N+1)*M + (N+1)*m where N
is the number of helpers, M is Squid current memory usage, and m Squid
memory usage when the existing helpers started.

On startup that is just (N+1)*M, with a smaller value of M so its not so
noticable what will happen later.

The M varies relative to the amount of currently active users. With its
minimum value being cache_mem plus index size.

The dynamic helpers feature can reduce the N down to the minimum Squid
actually needs to operate. But does not solve the problem entirely, and
can make the values of m be a bit larger.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.1 ldap authentication

[Amos Jeffries]

On 10/10/2015 8:16 a.m., nando mendonca wrote:
> Hi Amos,
> 
> Below is my squid.conf configuration. I can login and browse any site
> entering my ldap username. This is working fine.
> 
> Below i would like to use squid_ldap_group -R to allow certain ldap groups
> to browse only certain sites. Below "admins" and "sales" are two ldap
> groups, can i allow the "admins" group to browse a couple of sites and deny
> all others, and also have the "sales" group browse different sites and deny
> all other ldap groups access?
> 
> When i run 'squid -k parse', i'm not seeing any configuration errors.

Then your Squid is a bit outdated. Please consider an upgrade.
The current Squid will at least complain about the manager and localhost
ACL definitions being built-in.


> #
> # Recommended minimum configuration:
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> 
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 192.168.30.0/24# RFC1918 possible internal network
> acl localnet src 192.168.20.0/24
> #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> #acl localnet src 192.168.0.0/16# RFC1918 possible internal network
> acl localnet src fc00::/7   # RFC 4193 local private network range
> acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
> machines
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 8080
> acl CONNECT method CONNECT
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -b
> "dc=test,dc=corp,dc=domain,dc=com" -f "uid=%s" test.corp.domain.com
> auth_param basic children 5
> #auth_param basic realm Web-Proxy
> auth_param basic credentialsttl 30 minutes
> acl ldap-auth proxy_auth REQUIRED
> http_access allow ldap-auth

The problem you have is that you are allowing access to anyone who is
authenticated. End of story. No other permissions required. The
remainder of your access control config does nothing.

You ned to do this instead:

 http_access deny !ldap-auth


> 
> #http_access deny all
> visible_hostname proxy-server-01
> 
> 
> ## Block access to Google ##
> #external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R
> -b "dc=test,dc=corp,dc=domain,dc=com" -D
> "ou=Groups,dc=test,dc=corp,dc=domain,dc=com" -f "(&(objectclass=person)
> (sAMAccountName=%v) (memberof=cn=%a,
> ou=Groups,dc=test,dc=corp,dc=domain,dc=com))" -h test.corp.domain.com
> 
> #acl admin external ldap_group admin
> #acl sales external ldap_group sales
> 
> #acl rule1 url_regex -i "/etc/squid/blacklists/admin/domains"
> #acl rule2 url_regex -i "/etc/squid/blacklists/sales/domains"
> 
> #http_access allow admin rule1
> #http_access allow sales rule2
> #http_access deny all
> 

One you are using "deny !ldap-auth" for the auth check these group rules
will have a chance of doing something.


However, all of the above http_access lines should be placed below the
line which says "INSERT YOUR OWN RULE(S) HERE"

> 
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> 

Current best practice is to place these manager rules below the "CONNECT
!SSL_Ports" line.


> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> http_access deny to_localhost
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #

Notice what the line above says. And how your authentication rules are
all up top well above the default rules that protect your system against
DoS and protocol abuse attacks.


> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 

Once you have authentication going you may want to remove these.


> 
> # And finally deny all other access to this proxy
> #http_access deny all
> 

Re-enable that "deny all" rule as the last http_access line.

Amos

___
squid-users 

Re: [squid-users] squid 3.1 ldap authentication

[Amos Jeffries]

On 8/10/2015 8:18 a.m., nando mendonca wrote:
> Hi,
> 
> I have squid 3.1 installed using ldap authentication. When i access a
> browser i enter my ldap credentials and it works fine. I’m able to browse
> all sites without any issues.
> 
> 
> Is there a way to use ldap groups to allow certain groups access to a few
> sites on the internet and then pretty much block everything else?

Please read this page 

Particularly the sections titled "Common Mistakes".

> 
> I’m able to restrict access to only a couple of sites and block everything
> else without using ldap group authentication, was just hoping this can be
> done with ldap group authentication.

Well, no because you cannot authenticate a whole group. There is no such
thing as "ldap group authentication"

There is group *authorization*, with LDAP protocol used to fetch the
group details.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 3.1 ldap authentication

[nando mendonca]

Hi,

I have squid 3.1 installed using ldap authentication. When i access a
browser i enter my ldap credentials and it works fine. I’m able to browse
all sites without any issues.


Is there a way to use ldap groups to allow certain groups access to a few
sites on the internet and then pretty much block everything else?


I’m able to restrict access to only a couple of sites and block everything
else without using ldap group authentication, was just hoping this can be
done with ldap group authentication.


Thanks,
Nando
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid proxy LDAP Authentication.

[jeffrey j donovan]

On Jan 25, 2013, at 2:34 AM, Rajesh Kamath rajesh.kam...@robosoftin.com wrote:

 Dear All,
  
   I have configured squid proxy under Mac OS X server mountain lion 
 successfuly.But now I stuck with LDAP server authentication.Attached is the 
 my squid.conf file.When tried to browse any sites,am getting TCP_DENIED/407 
 error.Please help me in this regard.
  
  Attached is the my server squid.conf and access log file.
  
 Regards
 Rajesh
 info.txt

Greetings,

do you get prompted for ldap_auth ?
was squid compiled to used ldap ? 
--enable-basic-auth-helpers=NCSA,LDAP,PAM,SASL,getpwnam

I tried to use ldap on osx some years ago and ended up using a flat file NTLM 
auth. i can't remember the problem I had but it was something similar where 
squid did not have access to the ldap module.

-j

[squid-users] Squid proxy LDAP Authentication.

[Rajesh Kamath]

Dear All,
 
  I have configured squid proxy under Mac OS X server mountain lion 
successfuly.But now I stuck with LDAP server authentication.Attached is the my 
squid.conf file.When tried to browse any sites,am getting TCP_DENIED/407 
error.Please help me in this regard.

 Attached is the my server squid.conf and access log file.
 
Regards
Rajesh


Squid.conf details:
 
 vi /usr/local/squid/etc/squid.conf
==
#
# Recommended minimum configuration:
 
auth_param basic program  /usr/local/squid/libexec/basic_ldap_auth -b 
cn=users -D dc=xxx -h ldap.xxx.com
auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -b 
dc=RoboServer -f cn=%s -h ldap.robosoftin.com
auth_param basic children 9
auth_param basic realm Robosoft Technologies Pvt. Ltd.
auth_param basic credentialsttl 2 hours
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
#http_access allow localhost
http_access deny all
authenticate_ttl 8 hour
 
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7   # RFC 4193 local private network range
#acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines
 
acl allowed src 10.10.1.46
 
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
#http_access allow localhost manager
#http_access deny manager
 
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
 
# Deny CONNECT to other than secure SSL ports
#http_access allow CONNECT SSL_ports
http_access deny CONNECT !SSL_ports
 
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on localhost is a local user
#http_access deny to_localhost
 
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
 
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow all
http_access allow localnet
#http_access allow localhost
 
# And finally deny all other access to this proxy
http_access deny all
icp_access allow localnet
icp_access deny all
 
htcp_access allow localnet
htcp_access deny all
 

# Squid normally listens to port 3128
http_port 3128
 
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid/var/cache  500 16 256
maximum_object_size 4096 KB
#access log and cache log settings
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
pid_filename /usr/local/squid/var/run/squid.pid
 
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
 

 
tail -f /usr/local/squid/var/logs/access.log
 
1359098415.306  0 10.10.1.46 TCP_DENIED/407 2304 GET 
http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag? - NONE/- text/html
1359098415.605  0 10.10.1.46 TCP_DENIED/407 2304 GET 
http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag? - NONE/- text/html
1359098415.607  0 10.10.1.46 TCP_DENIED/407 2304 GET 
http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag? - NONE/- text/html
===



smime.p7s
Description: S/MIME cryptographic signature

Re: [squid-users] Squid with LDAP digest error

[Sean Boran]

should the input not be user + password separated by a space?
   echo usuario1 password |

Sean


On 13 September 2012 14:42, Bijoy Lobo bijoy.l...@paladion.net wrote:
 Hello all,

 I am trying to make Squid + LDAP work with MD5 digest. Ive tried this command,

 echo 'usuario1:Squid proxy-caching web server' |
 /usr/lib/squid3/digest_ldap_auth -b ou=people,dc=paladion,dc=com -u
 uid=%s -A userPassword -D cn=admin,dc=test,dc=com -w test@123
 -e -v 3 -h 127.0.0.1

 output is
 ERR No such user


 LDAP Search Output

 root@Proxy:~# ldapsearch -xLLL | grep usuario
 dn: uid=usuario1,ou=people,dc=test,dc=com
 uid: usuario1

 --
 Thanks and Regards
 Bijoy Lobo
 Paladion Networks

Re: [squid-users] Squid with LDAP digest error

[Bijoy Lobo]

I guess it works diffrently with digest. Iv'e read it should be done like this,

username:REALM

On Fri, Sep 14, 2012 at 5:51 PM, Sean Boran s...@boran.com wrote:
 should the input not be user + password separated by a space?
echo usuario1 password |

 Sean


 On 13 September 2012 14:42, Bijoy Lobo bijoy.l...@paladion.net wrote:
 Hello all,

 I am trying to make Squid + LDAP work with MD5 digest. Ive tried this 
 command,

 echo 'usuario1:Squid proxy-caching web server' |
 /usr/lib/squid3/digest_ldap_auth -b ou=people,dc=paladion,dc=com -u
 uid=%s -A userPassword -D cn=admin,dc=test,dc=com -w test@123
 -e -v 3 -h 127.0.0.1

 output is
 ERR No such user


 LDAP Search Output

 root@Proxy:~# ldapsearch -xLLL | grep usuario
 dn: uid=usuario1,ou=people,dc=test,dc=com
 uid: usuario1

 --
 Thanks and Regards
 Bijoy Lobo
 Paladion Networks



-- 
Thanks and Regards
Bijoy Lobo
Paladion Networks

[squid-users] Squid with LDAP digest error

[Bijoy Lobo]

Hello all,

I am trying to make Squid + LDAP work with MD5 digest. Ive tried this command,

echo 'usuario1:Squid proxy-caching web server' |
/usr/lib/squid3/digest_ldap_auth -b ou=people,dc=paladion,dc=com -u
uid=%s -A userPassword -D cn=admin,dc=test,dc=com -w test@123
-e -v 3 -h 127.0.0.1

output is
ERR No such user


LDAP Search Output

root@Proxy:~# ldapsearch -xLLL | grep usuario
dn: uid=usuario1,ou=people,dc=test,dc=com
uid: usuario1

--
Thanks and Regards
Bijoy Lobo
Paladion Networks

[squid-users] Squid - digest LDAP authentication nounce invalidation

[Joshi Pradyumna]

Hi all,

We are using digest_ldap_auth with Open LDAP for squid digest 
authentication. It is working well but there is an issue.


When the user-password is changed on the LDAP server, squid should 
invalidate existing nounce after the specified nounce_garbage_interval 
and should generate a new nounce corresponding to the new password. But, 
it is seen that user can still access the internet site(s) using the old 
password. In short, old and new password nounce values are valid and 
this situation will prevail till the squid re-start.


The squid config. parameters set for digest authentication are:

auth_param digest children 5
auth_param digest realm My Realm
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 180 minutes
auth_param digest nonce_max_count 50
auth_param digest check_nonce_count on

Versions:
Squid version: Squid 3.0 STABLE 16
OpenLdap version: 2.3.27

Any help would be greatly appreciated.

Thanks and regards,
Joshi

[squid-users] Squid with ldap/kerberos - advice?

[Roland Roland]

Hello,

i'm trying to get squid to work with a max os x based LDAP.

I have a couple of questions if you can help me with:

1. Does a centos based yum installation contain ldap and kerberos support?
2. Is the following squid.conf config enough to get things up and 
running (complete article 
http://www.cyberciti.biz/tips/howto-configure-squid-ldap-authentication.html)
|auth_param basic program /usr/lib/squid/squid_ldap_auth -b 
dc=nixcraft,dc=com -f uid=%s -h ldap.nixcraft.com

acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
http_access deny all

3. If repository based squid doesn't come with ldap/kerberos support. is 
the following enough:
|./configure --enable-basic-auth-helpers=LDAP 
--enable-external-acl-helpers=ldap_group


NB: if you can guide me to a how to i'd appreciate it.


Thank you for help and best regards,

--Roland

Re: [squid-users] Squid with ldap/kerberos - advice?

[Lindsay Hill]

On 07/05/2011 05:04 PM, Roland Roland wrote:


Hello,

i'm trying to get squid to work with a max os x based LDAP.

I have a couple of questions if you can help me with:

1. Does a centos based yum installation contain ldap and kerberos 
support?
2. Is the following squid.conf config enough to get things up and 
running (complete article 
http://www.cyberciti.biz/tips/howto-configure-squid-ldap-authentication.html)
|auth_param basic program /usr/lib/squid/squid_ldap_auth -b 
dc=nixcraft,dc=com -f uid=%s -h ldap.nixcraft.com

acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
http_access deny all

3. If repository based squid doesn't come with ldap/kerberos support. 
is the following enough:
|./configure --enable-basic-auth-helpers=LDAP 
--enable-external-acl-helpers=ldap_group


NB: if you can guide me to a how to i'd appreciate it.


Thank you for help and best regards,

--Roland


I configured something similar recently - Kerberos authentication with a 
Mac OS X Server, and Mac OS and RHEL clients. I'm not worried about 
LDAP, just the Kerberos part. That config you've got there uses Basic 
Auth, which means plaintext. In most environments that is not acceptable.


I think it should work with Squid 2.6 (the version that comes with 
Centos 5.6), but I wanted to get dynamic SSL certificate generation 
working, so I've compiled and run a very recent release. The CentOS RPM 
does include the helpers, so it should do what you want.


 - Lindsay

Re: [squid-users] squid + digest ldap + password

[Amos Jeffries]

On 26/05/11 01:36, Maximiliano de Mattos wrote:

Hi...  :)

I use squid v2.7 with ldap_auth autentication storing password as ssha hash.

Now, i want to have digest ldap autentication, so i recompile squid
and configure auth_param to use this helper and configure them.

So, testing digest_ldap_auth, all are ok (or i think) :)


snip


¿The password value must be stored on ldap server in clear text mode? :(


Yes. Seems to be a flaw in LDAP digest implementation.

If you are lucky your LDAP server will have reversible encryption of the 
passwords for storage, to improve a bit over open plain text storage. 
But Digest-MD5 requires each end to know the plain-text version of the 
password in order to hash and validate the nonce tokens.




¿How squid manage encrypted passwords with digest method?


Squid is not aware of the passwords. Just a nonce token that gets passed 
around. Squid acts like a blind relay between the client browser and 
auth server. This is true for all auth methods Squid supports.



¿Any other ideas?


If you want better security than digest look at Kerberos. Which is fully 
encrypted with tokens not related to the password.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1

Re: [squid-users] squid + digest ldap + password

[Maximiliano de Mattos]

thanks Amos!

Now, i try with squid v3, if i remember ok i think i saw a post on
that this version can manage hashed pwds... but now i can't find them
:(
In other way i thinking to implement a helper thats make these
autentication (taking user + password in clear text as parameters) and
if this is correct, return to digest the result of MD5(user:realm:pwd
in clear text mode)... or ERR in other case...

thanks again!

2011/5/26 Amos Jeffries squ...@treenet.co.nz:
 On 26/05/11 01:36, Maximiliano de Mattos wrote:

 Hi...  :)

 I use squid v2.7 with ldap_auth autentication storing password as ssha
 hash.

 Now, i want to have digest ldap autentication, so i recompile squid
 and configure auth_param to use this helper and configure them.

 So, testing digest_ldap_auth, all are ok (or i think) :)

 snip

 ¿The password value must be stored on ldap server in clear text mode? :(

 Yes. Seems to be a flaw in LDAP digest implementation.

 If you are lucky your LDAP server will have reversible encryption of the
 passwords for storage, to improve a bit over open plain text storage. But
 Digest-MD5 requires each end to know the plain-text version of the password
 in order to hash and validate the nonce tokens.


 ¿How squid manage encrypted passwords with digest method?

 Squid is not aware of the passwords. Just a nonce token that gets passed
 around. Squid acts like a blind relay between the client browser and auth
 server. This is true for all auth methods Squid supports.

 ¿Any other ideas?

 If you want better security than digest look at Kerberos. Which is fully
 encrypted with tokens not related to the password.

 Amos
 --
 Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1




-- 
Salu2 ;)

Re: [squid-users] squid + digest ldap + password

[Amos Jeffries]

On 27/05/11 04:00, Maximiliano de Mattos wrote:

thanks Amos!

Now, i try with squid v3, if i remember ok i think i saw a post on
that this version can manage hashed pwds... but now i can't find them
:(


I recall we added it for the Basic auth DB helper. But there is almost 
no change to the Digest since 2.7. Just some logic bugs.



In other way i thinking to implement a helper thats make these
autentication (taking user + password in clear text as parameters) and
if this is correct, return to digest the result of MD5(user:realm:pwd
in clear text mode)... or ERR in other case...


Think carefully. If the helper is for Squid the data it gets given is 
straight off the wire.
Doing plain-text over the wire (Basic auth) then converting to Digest 
for the final step once it is already inside secure areas is a bit late.


A Digest helper or update which uses some secure but reversible encrypt 
for storage in LDAP would be very welcome.


Or even a digest helper which decrypts MD5 hash using the realm and 
username Squid knows about. To recover the attempted password, do SSHA 
on it and compare it against the SSHA stored real one.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1

[squid-users] squid + digest ldap + password

[Maximiliano de Mattos]

Hi...  :)

I use squid v2.7 with ldap_auth autentication storing password as ssha hash.

Now, i want to have digest ldap autentication, so i recompile squid
and configure auth_param to use this helper and configure them.

So, testing digest_ldap_auth, all are ok (or i think) :)

  # echo 'userTest:Squid proxy-caching web server' |
/usr/local/squid/libexec/digest_ldap_auth -b
dc=maximatt,dc=com,dc=uy
  -A userpassword -F
((uid=%s)(enableUser=TRUE)(enableProxyAccount=TRUE)) -D
uid=proxybind,cn=WebCache-Proxy,cn=
  Services,cn=Directory Administrators,dc=maximatt,dc=com,dc=uy
-w esta_no_es -v 3 -p 636 -d -h ldap://ldap.maximatt.com.uy
  Connected OK
  user filter
'((uid=userTest)(enableUser=TRUE)(enableProxyAccount=TRUE))',
searchbase 'dc=maximatt,dc=com,dc=uy'
  password: {SSHA}M9pU6W7QR/0uM996nUFTTi9avvOw46geEx/aeA==
  a71d65c82f4e6fcf0db600667362cb0d

  # echo -n 'userTest:Squid proxy-caching web
server:{SSHA}M9pU6W7QR/0uM996nUFTTi9avvOw46geEx/aeA==' | md5sum
  a71d65c82f4e6fcf0db600667362cb0d  -

ok! :) i change squid config and restart the server and... not work :'(

if i try to access a web page to see the news :)  the autentication not work:

  # lwp-request -d -e -U -u  -p http://192.168.45.8:3128/
http://www.elpais.com.uy
  Enter username for Squid proxy-caching web server at
192.168.45.8:3128: userTest
  Password: pass
  Enter username for Squid proxy-caching web server at
192.168.45.8:3128: userTest
  Password: pass
  Enter username for Squid proxy-caching web server at 192.168.45.8:3128:
  :
  :

¿The password value must be stored on ldap server in clear text mode? :(
¿How squid manage encrypted passwords with digest method?
¿Any other ideas?

Thanks in advance! :)


--
Salu2 ;)



--
Salu2 ;)

[squid-users] Squid 3.1.11 LDAP compile error

[Michael_Grasso]

I'm trying to setup Squid 3.1.11 as a reverse proxy with LDAP
authentication. I compiled Squid with the  --enable-basic-auth-helpers=LDAP
but when I run make, I get the below error. I'm using Suse Linux Enterprise
server 11 with SP1. Any ideas?

squid_ldap_auth.c:641: error: expected â)â before â*â token
make[3]: *** [squid_ldap_auth.o] Error 1
make[3]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth/LDAP'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/squid-3.1.11/helpers'
make: *** [all-recursive] Error 1

Thanks,

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443

Re: [squid-users] Squid 3.1.11 LDAP compile error

[Chad Naugle]

Sounds like a fairly basic coding syntax error that any motivated
programmer can quickly resolve themselves.

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:39 AM 

I'm trying to setup Squid 3.1.11 as a reverse proxy with LDAP
authentication. I compiled Squid with the 
--enable-basic-auth-helpers=LDAP
but when I run make, I get the below error. I'm using Suse Linux
Enterprise
server 11 with SP1. Any ideas?

squid_ldap_auth.c:641: error: expected â)â before â*â token
make[3]: *** [squid_ldap_auth.o] Error 1
make[3]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth/LDAP'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/squid-3.1.11/helpers'
make: *** [all-recursive] Error 1

Thanks,

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443



Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.

Re: [squid-users] Squid 3.1.11 LDAP compile error

[Michael_Grasso]

Sorry, I don't understand your answer. I'm trying to compile squid with
LDAP support.

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443



   
  From:   Chad Naugle chad.nau...@travimp.com  
   
  To: michael_gra...@cadc.uscourts.gov, squid-users@squid-cache.org
   
  Date:   02/08/2011 10:47 AM  
   
  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error
   





Sounds like a fairly basic coding syntax error that any motivated
programmer can quickly resolve themselves.

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:39 AM 

I'm trying to setup Squid 3.1.11 as a reverse proxy with LDAP
authentication. I compiled Squid with the
--enable-basic-auth-helpers=LDAP
but when I run make, I get the below error. I'm using Suse Linux
Enterprise
server 11 with SP1. Any ideas?

squid_ldap_auth.c:641: error: expected â)â before â*â token
make[3]: *** [squid_ldap_auth.o] Error 1
make[3]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth/LDAP'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/squid-3.1.11/helpers'
make: *** [all-recursive] Error 1

Thanks,

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443



Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.

Re: [squid-users] Squid 3.1.11 LDAP compile error

[Chad Naugle]

I am investigating, but it seems to me that your issue could be platform
specific, to SLES 11 SP1, because the code has not changed since 3.1.10.
 Are you upgrading Squid, or is this the first time you are compiling
Squid?

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:55 AM 
Sorry, I don't understand your answer. I'm trying to compile squid
with
LDAP support.

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443



  

  From:   Chad Naugle chad.nau...@travimp.com 

  

  To: michael_gra...@cadc.uscourts.gov,
squid-users@squid-cache.org
  

  Date:   02/08/2011 10:47 AM 

  

  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error   

  






Sounds like a fairly basic coding syntax error that any motivated
programmer can quickly resolve themselves.

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:39 AM 

I'm trying to setup Squid 3.1.11 as a reverse proxy with LDAP
authentication. I compiled Squid with the
--enable-basic-auth-helpers=LDAP
but when I run make, I get the below error. I'm using Suse Linux
Enterprise
server 11 with SP1. Any ideas?

squid_ldap_auth.c:641: error: expected â)â before â*â token
make[3]: *** [squid_ldap_auth.o] Error 1
make[3]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth/LDAP'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/squid-3.1.11/helpers'
make: *** [all-recursive] Error 1

Thanks,

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443



Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended
recipient
and may contain confidential or privileged information.  If you are
not
the intended recipient, any disclosure, copying, use, or distribution
of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.





Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.

Re: [squid-users] Squid 3.1.11 LDAP compile error

[Michael_Grasso]

This is a fresh install on a test server. Your probably right on it being a
platform specific problem.

Thanks...



   
  From:   Chad Naugle chad.nau...@travimp.com  
   
  To: michael_gra...@cadc.uscourts.gov   
   
  Cc: squid-users@squid-cache.org
   
  Date:   02/08/2011 10:58 AM  
   
  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error
   





I am investigating, but it seems to me that your issue could be platform
specific, to SLES 11 SP1, because the code has not changed since 3.1.10.
 Are you upgrading Squid, or is this the first time you are compiling
Squid?

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:55 AM 
Sorry, I don't understand your answer. I'm trying to compile squid
with
LDAP support.

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov,
squid-users@squid-cache.org


  Date:   02/08/2011 10:47 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








Sounds like a fairly basic coding syntax error that any motivated
programmer can quickly resolve themselves.

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:39 AM 

I'm trying to setup Squid 3.1.11 as a reverse proxy with LDAP
authentication. I compiled Squid with the
--enable-basic-auth-helpers=LDAP
but when I run make, I get the below error. I'm using Suse Linux
Enterprise
server 11 with SP1. Any ideas?

squid_ldap_auth.c:641: error: expected â)â before â*â token
make[3]: *** [squid_ldap_auth.o] Error 1
make[3]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth/LDAP'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/squid-3.1.11/helpers'
make: *** [all-recursive] Error 1

Thanks,

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443



Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended
recipient
and may contain confidential or privileged information.  If you are
not
the intended recipient, any disclosure, copying, use, or distribution
of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.





Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.

Re: [squid-users] Squid 3.1.11 LDAP compile error

[Chad Naugle]

Is --enable-basic-auth-helpers=LDAP the only configure options, or
what else are you passing to ./configure so I can try to reproduce it?

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:04 AM 
This is a fresh install on a test server. Your probably right on it
being a
platform specific problem.

Thanks...



  

  From:   Chad Naugle chad.nau...@travimp.com 

  

  To: michael_gra...@cadc.uscourts.gov  

  

  Cc: squid-users@squid-cache.org   

  

  Date:   02/08/2011 10:58 AM 

  

  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error   

  






I am investigating, but it seems to me that your issue could be
platform
specific, to SLES 11 SP1, because the code has not changed since
3.1.10.
Are you upgrading Squid, or is this the first time you are compiling
Squid?

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:55 AM 
Sorry, I don't understand your answer. I'm trying to compile squid
with
LDAP support.

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov,
squid-users@squid-cache.org


  Date:   02/08/2011 10:47 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








Sounds like a fairly basic coding syntax error that any motivated
programmer can quickly resolve themselves.

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:39 AM 

I'm trying to setup Squid 3.1.11 as a reverse proxy with LDAP
authentication. I compiled Squid with the
--enable-basic-auth-helpers=LDAP
but when I run make, I get the below error. I'm using Suse Linux
Enterprise
server 11 with SP1. Any ideas?

squid_ldap_auth.c:641: error: expected â)â before â*â token
make[3]: *** [squid_ldap_auth.o] Error 1
make[3]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth/LDAP'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/squid-3.1.11/helpers'
make: *** [all-recursive] Error 1

Thanks,

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443



Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended
recipient
and may contain confidential or privileged information.  If you are
not
the intended recipient, any disclosure, copying, use, or distribution
of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.





Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended
recipient
and may contain confidential or privileged information.  If you are
not
the intended recipient, any disclosure, copying, use, or distribution
of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.





Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.

Re: [squid-users] Squid 3.1.11 LDAP compile error

[Michael_Grasso]

I'm using the two below as well.

--enable-storeio=aufs --enable-removal-policies



   
  From:   Chad Naugle chad.nau...@travimp.com  
   
  To: michael_gra...@cadc.uscourts.gov   
   
  Cc: squid-users@squid-cache.org
   
  Date:   02/08/2011 11:10 AM  
   
  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error
   





Is --enable-basic-auth-helpers=LDAP the only configure options, or
what else are you passing to ./configure so I can try to reproduce it?

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:04 AM 
This is a fresh install on a test server. Your probably right on it
being a
platform specific problem.

Thanks...





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov



  Cc: squid-users@squid-cache.org



  Date:   02/08/2011 10:58 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








I am investigating, but it seems to me that your issue could be
platform
specific, to SLES 11 SP1, because the code has not changed since
3.1.10.
Are you upgrading Squid, or is this the first time you are compiling
Squid?

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:55 AM 
Sorry, I don't understand your answer. I'm trying to compile squid
with
LDAP support.

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov,
squid-users@squid-cache.org


  Date:   02/08/2011 10:47 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








Sounds like a fairly basic coding syntax error that any motivated
programmer can quickly resolve themselves.

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:39 AM 

I'm trying to setup Squid 3.1.11 as a reverse proxy with LDAP
authentication. I compiled Squid with the
--enable-basic-auth-helpers=LDAP
but when I run make, I get the below error. I'm using Suse Linux
Enterprise
server 11 with SP1. Any ideas?

squid_ldap_auth.c:641: error: expected â)â before â*â token
make[3]: *** [squid_ldap_auth.o] Error 1
make[3]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth/LDAP'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/squid-3.1.11/helpers'
make: *** [all-recursive] Error 1

Thanks,

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443



Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended
recipient
and may contain confidential or privileged information.  If you are
not
the intended recipient, any disclosure, copying, use, or distribution
of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.





Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended
recipient
and may contain confidential or privileged information.  If you are
not
the intended recipient, any disclosure, copying, use, or distribution
of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.





Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.

Re: [squid-users] Squid 3.1.11 LDAP compile error

[Chad Naugle]

Okay, I have been able to reproduce your error.

The problem, which I am searching for a solution right now, is because
SLES 11 SP1 appears to not install the LDAP headers required by Squid's
Helper.  I am searching for the correct RPM's you need to install
prior.

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:13 AM 
I'm using the two below as well.

--enable-storeio=aufs --enable-removal-policies



  

  From:   Chad Naugle chad.nau...@travimp.com 

  

  To: michael_gra...@cadc.uscourts.gov  

  

  Cc: squid-users@squid-cache.org   

  

  Date:   02/08/2011 11:10 AM 

  

  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error   

  






Is --enable-basic-auth-helpers=LDAP the only configure options, or
what else are you passing to ./configure so I can try to reproduce it?

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:04 AM 
This is a fresh install on a test server. Your probably right on it
being a
platform specific problem.

Thanks...





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov



  Cc: squid-users@squid-cache.org



  Date:   02/08/2011 10:58 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








I am investigating, but it seems to me that your issue could be
platform
specific, to SLES 11 SP1, because the code has not changed since
3.1.10.
Are you upgrading Squid, or is this the first time you are compiling
Squid?

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:55 AM 
Sorry, I don't understand your answer. I'm trying to compile squid
with
LDAP support.

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov,
squid-users@squid-cache.org


  Date:   02/08/2011 10:47 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








Sounds like a fairly basic coding syntax error that any motivated
programmer can quickly resolve themselves.

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:39 AM 

I'm trying to setup Squid 3.1.11 as a reverse proxy with LDAP
authentication. I compiled Squid with the
--enable-basic-auth-helpers=LDAP
but when I run make, I get the below error. I'm using Suse Linux
Enterprise
server 11 with SP1. Any ideas?

squid_ldap_auth.c:641: error: expected â)â before â*â token
make[3]: *** [squid_ldap_auth.o] Error 1
make[3]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth/LDAP'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/squid-3.1.11/helpers'
make: *** [all-recursive] Error 1

Thanks,

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443



Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended
recipient
and may contain confidential or privileged information.  If you are
not
the intended recipient, any disclosure, copying, use, or distribution
of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.





Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended
recipient
and may contain confidential or privileged information.  If you are
not
the intended recipient, any disclosure, copying, use, or distribution
of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.





Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended
recipient
and may contain confidential or privileged information.  If you are
not
the intended recipient, any disclosure, copying, use, or distribution
of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail

Re: [squid-users] Squid 3.1.11 LDAP compile error

[Chad Naugle]

Perform this:

rpm -q openldap2

Which will report to you what version of openldap is installed, my
system came with:

openldap2-2.4.20-0.4.29

Where the ldap.h header is included in the openldap2-devel package,
which will have other dependencies, such as libldap, and other
-devel packages.

It appears as if these packages do not exist on DVD1 for SLES 11 SP1,
so I am thinking they might be on DVD2.  This is quite different than
SLES 10, where all these files you need are on DVD1.

You also will need libber, and it's associated -devel packages.

Squid should be checking for these files during ./configure, quite
honestly.

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:47 AM 
Great. Thank you.



  

  From:   Chad Naugle chad.nau...@travimp.com 

  

  To: michael_gra...@cadc.uscourts.gov  

  

  Cc: squid-users@squid-cache.org   

  

  Date:   02/08/2011 11:31 AM 

  

  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error   

  






Okay, I have been able to reproduce your error.

The problem, which I am searching for a solution right now, is because
SLES 11 SP1 appears to not install the LDAP headers required by
Squid's
Helper.  I am searching for the correct RPM's you need to install
prior.

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:13 AM 
I'm using the two below as well.

--enable-storeio=aufs --enable-removal-policies





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov



  Cc: squid-users@squid-cache.org



  Date:   02/08/2011 11:10 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








Is --enable-basic-auth-helpers=LDAP the only configure options, or
what else are you passing to ./configure so I can try to reproduce it?

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:04 AM 
This is a fresh install on a test server. Your probably right on it
being a
platform specific problem.

Thanks...





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov



  Cc: squid-users@squid-cache.org



  Date:   02/08/2011 10:58 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








I am investigating, but it seems to me that your issue could be
platform
specific, to SLES 11 SP1, because the code has not changed since
3.1.10.
Are you upgrading Squid, or is this the first time you are compiling
Squid?

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:55 AM 
Sorry, I don't understand your answer. I'm trying to compile squid
with
LDAP support.

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov,
squid-users@squid-cache.org


  Date:   02/08/2011 10:47 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








Sounds like a fairly basic coding syntax error that any motivated
programmer can quickly resolve themselves.

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:39 AM 

I'm trying to setup Squid 3.1.11 as a reverse proxy with LDAP
authentication. I compiled Squid with the
--enable-basic-auth-helpers=LDAP
but when I run make, I get the below error. I'm using Suse Linux
Enterprise
server 11 with SP1. Any ideas?

squid_ldap_auth.c:641: error: expected â)â before â*â token
make[3]: *** [squid_ldap_auth.o] Error 1
make[3]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth/LDAP'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/squid-3.1.11/helpers'
make: *** [all-recursive] Error 1

Thanks,

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443



Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended
recipient
and may contain confidential or privileged information.  If you are
not
the intended recipient, any disclosure, copying, use, or distribution
of
the information included in this message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you.





Travel Impressions made the following annotations

Re: [squid-users] Squid 3.1.11 LDAP compile error

[Michael_Grasso]

My system has the same version. I don't have the second SLES 11 DVD so I
will download now.

Thank you.



   
  From:   Chad Naugle chad.nau...@travimp.com  
   
  To: michael_gra...@cadc.uscourts.gov   
   
  Cc: squid-users@squid-cache.org
   
  Date:   02/08/2011 12:08 PM  
   
  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error
   





Perform this:

rpm -q openldap2

Which will report to you what version of openldap is installed, my
system came with:

openldap2-2.4.20-0.4.29

Where the ldap.h header is included in the openldap2-devel package,
which will have other dependencies, such as libldap, and other
-devel packages.

It appears as if these packages do not exist on DVD1 for SLES 11 SP1,
so I am thinking they might be on DVD2.  This is quite different than
SLES 10, where all these files you need are on DVD1.

You also will need libber, and it's associated -devel packages.

Squid should be checking for these files during ./configure, quite
honestly.

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:47 AM 
Great. Thank you.





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov



  Cc: squid-users@squid-cache.org



  Date:   02/08/2011 11:31 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








Okay, I have been able to reproduce your error.

The problem, which I am searching for a solution right now, is because
SLES 11 SP1 appears to not install the LDAP headers required by
Squid's
Helper.  I am searching for the correct RPM's you need to install
prior.

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:13 AM 
I'm using the two below as well.

--enable-storeio=aufs --enable-removal-policies





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov



  Cc: squid-users@squid-cache.org



  Date:   02/08/2011 11:10 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








Is --enable-basic-auth-helpers=LDAP the only configure options, or
what else are you passing to ./configure so I can try to reproduce it?

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:04 AM 
This is a fresh install on a test server. Your probably right on it
being a
platform specific problem.

Thanks...





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov



  Cc: squid-users@squid-cache.org



  Date:   02/08/2011 10:58 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








I am investigating, but it seems to me that your issue could be
platform
specific, to SLES 11 SP1, because the code has not changed since
3.1.10.
Are you upgrading Squid, or is this the first time you are compiling
Squid?

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:55 AM 
Sorry, I don't understand your answer. I'm trying to compile squid
with
LDAP support.

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov,
squid-users@squid-cache.org


  Date:   02/08/2011 10:47 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








Sounds like a fairly basic coding syntax error that any motivated
programmer can quickly resolve themselves.

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:39 AM 

I'm trying to setup Squid 3.1.11 as a reverse proxy with LDAP
authentication. I compiled Squid with the
--enable-basic-auth-helpers=LDAP
but when I run make, I get the below error. I'm using Suse Linux
Enterprise
server 11 with SP1. Any ideas?

squid_ldap_auth.c:641: error: expected â)â before â*â token
make[3]: *** [squid_ldap_auth.o] Error 1
make[3]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth/LDAP'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/squid-3.1.11/helpers'
make: *** [all-recursive] Error 1

Thanks,

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443



Travel Impressions made the following annotations
-
This message and any attachments are solely for the intended
recipient
and may contain confidential or privileged information.  If you are
not
the intended recipient, any disclosure, copying, use

Re: [squid-users] Squid 3.1.11 LDAP compile error

[Chad Naugle]

I have not attempted to install DVD2 yet personally, but there is a
chance that I am wrong, and that the -devel packages are all part of
the SDK release, which is a separate download of 2 DVD's in itself.  I
do not personally like this approach that SLES 11 SP1 is going, because
SLES 10 SP3 (SP4 is probably coming out soon ?) it is much easier to
compile / install Squid with LDAP functionality, by simply installing
all the -devel packages right from the same DVD.

 michael_gra...@cadc.uscourts.gov 2/8/2011 12:16 PM 
My system has the same version. I don't have the second SLES 11 DVD so
I
will download now.

Thank you.



  

  From:   Chad Naugle chad.nau...@travimp.com 

  

  To: michael_gra...@cadc.uscourts.gov  

  

  Cc: squid-users@squid-cache.org   

  

  Date:   02/08/2011 12:08 PM 

  

  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error   

  






Perform this:

rpm -q openldap2

Which will report to you what version of openldap is installed, my
system came with:

openldap2-2.4.20-0.4.29

Where the ldap.h header is included in the openldap2-devel
package,
which will have other dependencies, such as libldap, and other
-devel packages.

It appears as if these packages do not exist on DVD1 for SLES 11 SP1,
so I am thinking they might be on DVD2.  This is quite different than
SLES 10, where all these files you need are on DVD1.

You also will need libber, and it's associated -devel packages.

Squid should be checking for these files during ./configure, quite
honestly.

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:47 AM 
Great. Thank you.





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov



  Cc: squid-users@squid-cache.org



  Date:   02/08/2011 11:31 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








Okay, I have been able to reproduce your error.

The problem, which I am searching for a solution right now, is because
SLES 11 SP1 appears to not install the LDAP headers required by
Squid's
Helper.  I am searching for the correct RPM's you need to install
prior.

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:13 AM 
I'm using the two below as well.

--enable-storeio=aufs --enable-removal-policies





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov



  Cc: squid-users@squid-cache.org



  Date:   02/08/2011 11:10 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








Is --enable-basic-auth-helpers=LDAP the only configure options, or
what else are you passing to ./configure so I can try to reproduce it?

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:04 AM 
This is a fresh install on a test server. Your probably right on it
being a
platform specific problem.

Thanks...





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov



  Cc: squid-users@squid-cache.org



  Date:   02/08/2011 10:58 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








I am investigating, but it seems to me that your issue could be
platform
specific, to SLES 11 SP1, because the code has not changed since
3.1.10.
Are you upgrading Squid, or is this the first time you are compiling
Squid?

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:55 AM 
Sorry, I don't understand your answer. I'm trying to compile squid
with
LDAP support.

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443





  From:   Chad Naugle chad.nau...@travimp.com



  To: michael_gra...@cadc.uscourts.gov,
squid-users@squid-cache.org


  Date:   02/08/2011 10:47 AM



  Subject:Re: [squid-users] Squid 3.1.11 LDAP compile error








Sounds like a fairly basic coding syntax error that any motivated
programmer can quickly resolve themselves.

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:39 AM 

I'm trying to setup Squid 3.1.11 as a reverse proxy with LDAP
authentication. I compiled Squid with the
--enable-basic-auth-helpers=LDAP
but when I run make, I get the below error. I'm using Suse Linux
Enterprise
server 11 with SP1. Any ideas?

squid_ldap_auth.c:641: error: expected â)â before â*â token
make[3]: *** [squid_ldap_auth.o] Error 1
make[3]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth/LDAP'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth'
make[1

Re: [squid-users] Squid 3.1.11 LDAP compile error

[Tom Tux]

Hi

You just have to install the openldap2-devel-package from the
SLES11-SP1-SDK-DVD:
zypper install openldap2-devel

Then you should be able to compile squid.
Regards,
Tom


2011/2/8 Chad Naugle chad.nau...@travimp.com:
 I have not attempted to install DVD2 yet personally, but there is a
 chance that I am wrong, and that the -devel packages are all part of
 the SDK release, which is a separate download of 2 DVD's in itself.  I
 do not personally like this approach that SLES 11 SP1 is going, because
 SLES 10 SP3 (SP4 is probably coming out soon ?) it is much easier to
 compile / install Squid with LDAP functionality, by simply installing
 all the -devel packages right from the same DVD.

 michael_gra...@cadc.uscourts.gov 2/8/2011 12:16 PM 
 My system has the same version. I don't have the second SLES 11 DVD so
 I
 will download now.

 Thank you.





  From:       Chad Naugle chad.nau...@travimp.com



  To:         michael_gra...@cadc.uscourts.gov



  Cc:         squid-users@squid-cache.org



  Date:       02/08/2011 12:08 PM



  Subject:    Re: [squid-users] Squid 3.1.11 LDAP compile error








 Perform this:

 rpm -q openldap2

 Which will report to you what version of openldap is installed, my
 system came with:

 openldap2-2.4.20-0.4.29

 Where the ldap.h header is included in the openldap2-devel
 package,
 which will have other dependencies, such as libldap, and other
 -devel packages.

 It appears as if these packages do not exist on DVD1 for SLES 11 SP1,
 so I am thinking they might be on DVD2.  This is quite different than
 SLES 10, where all these files you need are on DVD1.

 You also will need libber, and it's associated -devel packages.

 Squid should be checking for these files during ./configure, quite
 honestly.

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:47 AM 
 Great. Thank you.





  From:       Chad Naugle chad.nau...@travimp.com



  To:         michael_gra...@cadc.uscourts.gov



  Cc:         squid-users@squid-cache.org



  Date:       02/08/2011 11:31 AM



  Subject:    Re: [squid-users] Squid 3.1.11 LDAP compile error








 Okay, I have been able to reproduce your error.

 The problem, which I am searching for a solution right now, is because
 SLES 11 SP1 appears to not install the LDAP headers required by
 Squid's
 Helper.  I am searching for the correct RPM's you need to install
 prior.

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:13 AM 
 I'm using the two below as well.

 --enable-storeio=aufs --enable-removal-policies





  From:       Chad Naugle chad.nau...@travimp.com



  To:         michael_gra...@cadc.uscourts.gov



  Cc:         squid-users@squid-cache.org



  Date:       02/08/2011 11:10 AM



  Subject:    Re: [squid-users] Squid 3.1.11 LDAP compile error








 Is --enable-basic-auth-helpers=LDAP the only configure options, or
 what else are you passing to ./configure so I can try to reproduce it?

 michael_gra...@cadc.uscourts.gov 2/8/2011 11:04 AM 
 This is a fresh install on a test server. Your probably right on it
 being a
 platform specific problem.

 Thanks...





  From:       Chad Naugle chad.nau...@travimp.com



  To:         michael_gra...@cadc.uscourts.gov



  Cc:         squid-users@squid-cache.org



  Date:       02/08/2011 10:58 AM



  Subject:    Re: [squid-users] Squid 3.1.11 LDAP compile error








 I am investigating, but it seems to me that your issue could be
 platform
 specific, to SLES 11 SP1, because the code has not changed since
 3.1.10.
 Are you upgrading Squid, or is this the first time you are compiling
 Squid?

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:55 AM 
 Sorry, I don't understand your answer. I'm trying to compile squid
 with
 LDAP support.

 Mike Grasso
 Data Network Administrator
 DC Circuit Court of Appeals
 (202) 216-7443





  From:       Chad Naugle chad.nau...@travimp.com



  To:         michael_gra...@cadc.uscourts.gov,
 squid-users@squid-cache.org


  Date:       02/08/2011 10:47 AM



  Subject:    Re: [squid-users] Squid 3.1.11 LDAP compile error








 Sounds like a fairly basic coding syntax error that any motivated
 programmer can quickly resolve themselves.

 michael_gra...@cadc.uscourts.gov 2/8/2011 10:39 AM 

 I'm trying to setup Squid 3.1.11 as a reverse proxy with LDAP
 authentication. I compiled Squid with the
 --enable-basic-auth-helpers=LDAP
 but when I run make, I get the below error. I'm using Suse Linux
 Enterprise
 server 11 with SP1. Any ideas?

 squid_ldap_auth.c:641: error: expected â)â before â*â token
 make[3]: *** [squid_ldap_auth.o] Error 1
 make[3]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth/LDAP'
 make[2]: *** [all-recursive] Error 1
 make[2]: Leaving directory `/opt/squid-3.1.11/helpers/basic_auth'
 make[1]: *** [all-recursive] Error 1
 make[1]: Leaving directory `/opt/squid-3.1.11/helpers'
 make: *** [all-recursive] Error 1

 Thanks,

 Mike Grasso
 Data Network Administrator
 DC Circuit Court of Appeals
 (202) 216-7443



 Travel Impressions made

Re: [squid-users] squid + auth ldap

[Henrik Nordström]

ons 2010-06-16 klockan 14:44 -0300 skrev maximatt:

 -  ¿squid_ldap_auth can resolve via dns the ldap host?

squid_ldap_auth can reslolve the LDAP servers IP address using DNS. But
it can not look up SRV records to find the name of the LDAP Servers.

 -  ¿squid_ldap_auth support multiple ldap servers?

Yes. You can list any number of LDAP servers, and it will automatically
fail over to the next if the first fails. But there may be significant
delay depending on the nature of the failure of the first.

Regards
Henrik

[squid-users] squid + auth ldap

[maximatt]

hi...

i try to config squid to authenticate with two ldap servers... but i
have some isues so...

-  ¿squid_ldap_auth can resolve via dns the ldap host?
-  ¿squid_ldap_auth support multiple ldap servers?

thanks in advance...
--
Salu2 ;)

Re: [squid-users] squid + auth ldap

[Felipe Augusto van de Wiel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 16-06-2010 14:44, maximatt wrote:
 i try to config squid to authenticate with two ldap servers... but i
 have some isues so...

You can find one example in the wiki ConfigExamples:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/MultipleSources


 -  ¿squid_ldap_auth can resolve via dns the ldap host?

That's an interesting question.


 -  ¿squid_ldap_auth support multiple ldap servers?

I don't think so.

At our company, we recently had a request to add
AD as a source of user+passwd to a configuration that was
authenticating against OpenLDAP.

Instead of using the above example, we hacked a
shell scripts that does something similar without the
need of an external_acl, it is not elegant and it can
quickly overload your server, but it can work:

while [ 1 ]; do
read TOKEN
U=${TOKEN%% *}
P=${TOKEN#* }

if $somecondition; then
echo $TOKEN | /usr/lib/squid3/squid_ldap_auth -v 3 \
-b dc=base,dc=example,dc=org \
-D cn=squid-connector,dc=base,dc=example,dc=org \
-w passwordA \
-f ((uid=$U)(proxyAccess=TRUE)) serverA
else
echo $TOKEN | /usr/lib/squid3/squid_ldap_auth -v 3 -R \
-b dc=base,dc=example,dc=net \
-D cn=squid-connector,dc=base,dc=example,dc=net \
-w passwordB \
-f 'sAMAccountName=%s' serverB
fi
done


This scripts is working nicely. :)

You could easily adapt it to query servers in
order, try 1, if it fails, try 2 and so on.

Kind regards,
- -- 
Felipe Augusto van de Wiel felipe.w...@hpp.org.br
Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
http://www.pequenoprincipe.org.br/T: +55 41 3310 1747
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJMGTpGAAoJECCPPxLgxLxP4IEP/1Y/rMXyiz1QJn45EUZqUnre
laLVkTG/XCsx6cYQ/F6/LeDR2FY8Pou73Kkn09QkdKCgHRTqGn6IL0nN4Gtf3Drf
On/1xUa5mcGSsf4WgwONiafMTlRxDu7PDfH5EI9YOUOGTgbY0bKH4+nqGhK8hiTd
dcrrVB3H1v50/8Is4Fo9IbG4ZKKR/Q/HyBYfX6uRm16rbUpB57S+pOOpjFW0PTrD
BfHHdgN5SFZAl/S59PsLOYBQnKOMHLWZwz0d+xenCOu0X/W4N5NeaJRt3qITiVIQ
P0mYElMzleWX3LksMBkLU0wquClpmIvSt+OqPQjFKBdGRnqp16E9n9mCsp2uR7oC
g3vqX6ZXr9o7YNi70sb+bqGj0xZ8Xf4M2h1P2lKMuKfxKFwhA2OcS3vbd5W5dgOC
84soL0Z9L4spdDB4SPiM/faUvVGb40YP1OFM1b6ae/0FBKIAkdriwMTfXi/kOJsD
I7lMhMA/kszO1R7z02KaV93T/dKSoTZPlgEbh+SyiTd/JSoO6cboNPGlgj6kFp4o
5rEnmYkTTSVCOqXAKcJ+nE7YjO3SMocK5scrEpGJwkjDxLTPm5Prb9aeDU74SzhR
gBUi1o6kUtdVo0WffPQYkRMO6Iuo9sYzKBhHIz0M/ao2G6MtF4CnHZTaxa92B+n1
RSXdQv3xC2ihxbKcB6vZ
=1wJp
-END PGP SIGNATURE-

Re: [squid-users] squid + auth ldap

[Jose Ildefonso Camargo Tolosa]

Hi!

On Wed, Jun 16, 2010 at 1:14 PM, maximatt aza...@gmail.com wrote:
 hi...

 i try to config squid to authenticate with two ldap servers... but i
 have some isues so...

 -  ¿squid_ldap_auth can resolve via dns the ldap host?

Yes.

 -  ¿squid_ldap_auth support multiple ldap servers?

I don't think so.  Any particular reason for this?


 thanks in advance...
 --
 Salu2 ;)

Salutwo? :P maybe: Saludos.

I hope this helps,

Ildefonso Camarg

[squid-users] squid + dansguardian + ldap auth

[Bruno Ricardo Santos]

X-Copyrighted-Material

Hi all !! 

I have a configuration with squid + dansguardian + transparent proxy and 
everything is working fine ! 

I'm trying to replicate the same, but no transparent proxy and instead 
authentication with LDAP. 

The authentication is working fine, and both squid and dansguardian are 
working, but not together... 

the configuration seems ok, but i can't get dansguardian and squid to get along 
with authentication... 

both are on the same machine. If i configure the browser to the squid port, it 
works like a charm... 

If i configure the browser with the dansguardian port (that should forward the 
request to squid) i get : 

DansGuardian - 400 Bad Request 

The requested URL is malformed 



Anyone has an idea ? or dansguardian and squid don't get along unless squid is 
configured as a transparent proxy ? 

Cheers, 

Bruno Santos 
---
Esta mensagem e ficheiros em anexo são confidenciais e destinados somente ao 
conhecimento e utilização da(s) pessoa(s) ou entidade(s) a quem foram 
endereçados.
Cabe ao destinatário verificar a existência de vírus ou erros, uma vez que a 
informação contida pode ser interceptada e/ou modificada.
Se recebeu este e-mail por engano, ou a eles teve acesso não sendo o 
destinatário, por favor informe de imediato o seu administrador de sistemas 
e elimine-o sem o utilizar, divulgar ou reproduzir.

Proteja o ambiente. Antes de imprimir este e-mail, verifique se realmente 
necessita.

Re: [squid-users] Squid auto-ldap (AD) authentication

[Amos Jeffries]

Michael Mansour wrote:

Hi,

I've gone through the instructions here:

http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory


which allowed me to setup Windows AD authentication from a Squid
proxy running on Linux.

Works fine, but what I want to do is not have to have people be
prompted for a username and password from within their browser (and
then have Squid authenticate that against AD).

That is, can Squid figure out the username and password from the
machine setup to access the proxy, and auto-authenticate that
username and password with AD, and if successful allow them use of
the proxy?


Lets get this clear:

  You want Squid to hack its way into the connecting users private 
machine, unlock their security settings, pull out whatever ones apply to 
the proxy, and do it without alerting the user about what's happening?


Note; people will only be made aware of the login request if the browser 
does not know what credentials to send to a challenging proxy.


This happens when:
 a) the browser has no knowledge of the login to be sent the challenger
 b) a previous set of credentials the browser had on record and sent 
have failed.
 c) the browser has a secure credentials storage, which has not been 
unlocked by the user. causing (a) as a side-effect.





Note that the way this is setup currently:

* users don't have internet access unless they go through Squid

* Windows AD holds accounts and groups

* groups exist for full internet access, limited internet access,
blocked sites

* Squid uses the LDAP helper to query the username and group to
determine what access the user has to the internet

* Squid prompts for a username and password

* ACL's determine what regex files to query for allowed sites,
blocked sites etc

What I need to do is try and avoid the Squid login/password window
and just allow the Windows login people use to login to Windows (and
their AD accounts) for Squid to auto-authenticate.

Can this be done? if so, any URL's or how-to's anyone knows about?



What you want is not possible with regular authentication.

There are two security concepts here that you need to be clear on:

  authorization - the information that source X is allowed/denied to 
connect to destination Y


 authentication - the information that source X really is source X.

The Squid ACL and access controls perform the _authorization_ part of 
the setup.


The authentication challenge-response as it is called is fundamental 
to how secure authentication works. Authentication credentials are just 
one set of details Squid uses to make decisions.



 When the browser is explicitly configured (manually or via WPAD/PAC) 
with proxy settings most of them have the capability of responding with 
either pre-configured login or secure encrypted token which the proxy 
can check against some third-party backend. This hides the fact of 
challenge from the user initially but if that fails a re-challenge 
causes things like the visible popups.



What you are asking is to find out who the user is in a situation where 
the browser has sent no such username/password or token. And you do not 
want Squid to challenge for them. This places major restraints on what 
can be done.


The only thing left is something called side-band _authorization_. Where 
details from the request (IP is the most commonly abused) are sent to 
some third-party source in hopes that it will be able to identify the 
user. It's done by external_acl_type if the regular ACL are not enough.


But consider carefully before you replace security;
 what is going to happen if the side-band fails?
 how certain are you that the details chosen for detection are reliable?
 what happens when two people send the same details? at once? one after 
the other?

 is it worth the risk?

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
  Current Beta Squid 3.1.0.15

[squid-users] Squid auto-ldap (AD) authentication

[Michael Mansour]

Hi,

I've gone through the instructions here:

http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory

which allowed me to setup Windows AD authentication from a Squid proxy running 
on Linux.

Works fine, but what I want to do is not have to have people be prompted for a 
username and password from within their browser (and then have Squid 
authenticate that against AD).

That is, can Squid figure out the username and password from the machine setup 
to access the proxy, and auto-authenticate that username and password with AD, 
and if successful allow them use of the proxy?

Note that the way this is setup currently:

* users don't have internet access unless they go through Squid

* Windows AD holds accounts and groups

* groups exist for full internet access, limited internet access, blocked 
sites

* Squid uses the LDAP helper to query the username and group to determine what 
access the user has to the internet

* Squid prompts for a username and password

* ACL's determine what regex files to query for allowed sites, blocked sites etc

What I need to do is try and avoid the Squid login/password window and just 
allow the Windows login people use to login to Windows (and their AD accounts) 
for Squid to auto-authenticate.

Can this be done? if so, any URL's or how-to's anyone knows about?

Thanks.

Michael.


  
__
See what's on at the movies in your area. Find out now: 
http://au.movies.yahoo.com/session-times/

[squid-users] Squid with LDAP server failover

[Cowking]

Dear All,

I am now using a squid proxy server which use ldap ( Windows Server 2003
Active Directory ) as authentication. I have use the squid module
squid_ldap_group to achieve this. The following line shows the
configuration:

external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -b
dc=example,dc=com -D cn=ldap,cn=users,dc=example,dc=com -h example.com
-w password -f
((objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=group,dc=example,dc=com))
-R

I define the AD with exmaple.com rather than IP address. As I terminate
the network connection of the first AD server. The proxy clients cannot
authenticate by using LDAP. It seems that the proxy clients didn't know how
to authenticate with the second AD server.

Would you provide some information if squid supports this function?

Any help would be greatly appreciated.

Thanks and Regards,
Cowking 

-- 
View this message in context: 
http://old.nabble.com/Squid-with-LDAP-server-failover-tp26312618p26312618.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Squid with LDAP server failover

[Guido Marino Lorenzutti]

To do this... i don't use squid_ldap_group.
I don't have a AD, but I have an ldap domain and I use the unix_group  
and I configure the pam_ldap to use more than one ldap server... and  
it works just fine.


Cowking big_bu...@yahoo.com escribió:



Dear All,

I am now using a squid proxy server which use ldap ( Windows Server 2003
Active Directory ) as authentication. I have use the squid module
squid_ldap_group to achieve this. The following line shows the
configuration:

external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -b
dc=example,dc=com -D cn=ldap,cn=users,dc=example,dc=com -h example.com
-w password -f
((objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=group,dc=example,dc=com))
-R

I define the AD with exmaple.com rather than IP address. As I terminate
the network connection of the first AD server. The proxy clients cannot
authenticate by using LDAP. It seems that the proxy clients didn't know how
to authenticate with the second AD server.

Would you provide some information if squid supports this function?

Any help would be greatly appreciated.

Thanks and Regards,
Cowking

--
View this message in context:  
http://old.nabble.com/Squid-with-LDAP-server-failover-tp26312618p26312618.html

Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Squid with LDAP server failover

[Cowking]

Because most of user accounts are located in AD, I really want to know
whether the modules squid_ldap_auth and squid_ldap_group support
failover. Thanks for your reply, Guido.

Best Regards,
Cowking


Guido Lorenzutti wrote:
 
 To do this... i don't use squid_ldap_group.
 I don't have a AD, but I have an ldap domain and I use the unix_group  
 and I configure the pam_ldap to use more than one ldap server... and  
 it works just fine.
 
 Cowking big_bu...@yahoo.com escribió:
 

 Dear All,

 I am now using a squid proxy server which use ldap ( Windows Server 2003
 Active Directory ) as authentication. I have use the squid module
 squid_ldap_group to achieve this. The following line shows the
 configuration:

 external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -b
 dc=example,dc=com -D cn=ldap,cn=users,dc=example,dc=com -h
 example.com
 -w password -f
 ((objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=group,dc=example,dc=com))
 -R

 I define the AD with exmaple.com rather than IP address. As I terminate
 the network connection of the first AD server. The proxy clients cannot
 authenticate by using LDAP. It seems that the proxy clients didn't know
 how
 to authenticate with the second AD server.

 Would you provide some information if squid supports this function?

 Any help would be greatly appreciated.

 Thanks and Regards,
 Cowking

 --
 View this message in context:  
 http://old.nabble.com/Squid-with-LDAP-server-failover-tp26312618p26312618.html
 Sent from the Squid - Users mailing list archive at Nabble.com.


 
 
 
 

-- 
View this message in context: 
http://old.nabble.com/Squid-with-LDAP-server-failover-tp26312618p26313332.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Squid + AD (LDAP)

[Henrik Nordstrom]

On fre, 2008-06-13 at 18:09 -0700, Alexandre augusto wrote:
 Hi All,
 
 I was wrong when said that my authentication was working in last email...
 
 I´m trying work Squid with MS AD
 
 So this is my squid.conf entry about LDAP auth:
 
 auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b 
 CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br -D 
 CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br -w /usr/local/squid/etc/file -f 
 (objectclass=*) -h ldap_server_ip:port
 
 Using this configuration with Ldapbrowser tool (Softerra), I can search my 
 entire LDAP tree without problems.
 
 my search base is:
 
 CN=user_admin,OU=Usuarios,OU=ABC,DC=abc,DC=com,DC=br

Are you really really sure? That looks very much like the user_admin
object, not the OU (or any upper level) where all your users are found..

 user_admin is Domain Admin of AD ( maybe necessary to bind on it ???)

That's what -D does.

 But Squid just give me an old TCP_DENIED entry on log files:
 
 1213403347.792 15 192.168.10.1 TCP_DENIED/407 2706 GET http://www.gm.com/ 
 user_admin NONE/- text/html  
 
 1213405393.479 15 192.168.10.1 TCP_DENIED/407 2706 GET 
 http://www.squid-cache.org/ user_admin NONE/- text/html 

Anything in cache.log?

You might need TLS/SSL for this to work. AD is often configured in such
manner that plaintext authentication (simple bind without encryption) is
not allowed.

Regards
Henrik


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] Squid + AD (LDAP)

[Alexandre augusto]

Hi Henrik,

You are correct.
my search base is DC=abc,DC=com,DC=br


I have nothing related LDA on cache.log

I´m looking for some documentation and found many guys using Squid + Samba ( 
winbind) with libnss_winbind.so and  libnss_winbind.so.2 authenticating on AD 
(win 2003). 

That is way to take ?

thank you

Alexandre

--- Em sáb, 14/6/08, Henrik Nordstrom [EMAIL PROTECTED] escreveu:

 De: Henrik Nordstrom [EMAIL PROTECTED]
 Assunto: Re: [squid-users] Squid + AD (LDAP)
 Para: [EMAIL PROTECTED]
 Cc: squid-users@squid-cache.org
 Data: Sábado, 14 de Junho de 2008, 6:21
 On fre, 2008-06-13 at 18:09 -0700, Alexandre augusto wrote:
  Hi All,
  
  I was wrong when said that my authentication was
 working in last email...
  
  I´m trying work Squid with MS AD
  
  So this is my squid.conf entry about LDAP auth:
  
  auth_param basic program
 /usr/local/squid/libexec/squid_ldap_auth -R -b
 CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br -D
 CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br -w
 /usr/local/squid/etc/file -f
 (objectclass=*) -h ldap_server_ip:port
  
  Using this configuration with Ldapbrowser tool
 (Softerra), I can search my entire LDAP tree without
 problems.
  
  my search base is:
  
  CN=user_admin,OU=Usuarios,OU=ABC,DC=abc,DC=com,DC=br
 
 Are you really really sure? That looks very much like the
 user_admin
 object, not the OU (or any upper level) where all your
 users are found..
 
  user_admin is Domain Admin of AD ( maybe
 necessary to bind on it ???)
 
 That's what -D does.
 
  But Squid just give me an old TCP_DENIED entry on log
 files:
  
  1213403347.792 15 192.168.10.1 TCP_DENIED/407 2706
 GET http://www.gm.com/ user_admin NONE/- text/html  
  
  1213405393.479 15 192.168.10.1 TCP_DENIED/407 2706
 GET http://www.squid-cache.org/ user_admin NONE/- text/html 
 
 Anything in cache.log?
 
 You might need TLS/SSL for this to work. AD is often
 configured in such
 manner that plaintext authentication (simple bind without
 encryption) is
 not allowed.
 
 Regards
 Henrik


  Abra sua conta no Yahoo! Mail, o único sem limite de espaço para 
armazenamento!
http://br.mail.yahoo.com/

[squid-users] Squid + AD (LDAP)

[Alexandre augusto]

Hi All,

I was wrong when said that my authentication was working in last email...

I´m trying work Squid with MS AD

So this is my squid.conf entry about LDAP auth:

auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b 
CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br -D 
CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br -w /usr/local/squid/etc/file -f 
(objectclass=*) -h ldap_server_ip:port

Using this configuration with Ldapbrowser tool (Softerra), I can search my 
entire LDAP tree without problems.

my search base is:

CN=user_admin,OU=Usuarios,OU=ABC,DC=abc,DC=com,DC=br

user_admin is Domain Admin of AD ( maybe necessary to bind on it ???)

But Squid just give me an old TCP_DENIED entry on log files:

1213403347.792 15 192.168.10.1 TCP_DENIED/407 2706 GET http://www.gm.com/ 
user_admin NONE/- text/html  

1213405393.479 15 192.168.10.1 TCP_DENIED/407 2706 GET 
http://www.squid-cache.org/ user_admin NONE/- text/html 

Anyone can help me ?

Thanks in advance

Alexandre


  Abra sua conta no Yahoo! Mail, o único sem limite de espaço para 
armazenamento!
http://br.mail.yahoo.com/

[squid-users] Squid - Domino LDAP Auth (and a little Websphere SSO)

[Chris Mitchell]

Greetings,

Have a bit of a problem trying to get Squid authentication working against 
a Lotus Domino LDAP directory. The actual authentication part is OK, if I 
want everyone in my Domino directory to have access through Squid it is 
not a problem, the real issue arises when I try to filter it based on 
group membership.


I have been through all the past mailing list articles in regards to this 
topic, and I've tried a whole bunch of different things, and I'm not 
having any luck (my LDAP skills are weak)


Taking a step back, what I'm actually trying to acheive here is single 
sign on between IBM Websphere Portal 6.0 and Squid (2.5.STABLE3), so that 
after my users sign on to Portal, they are not prompted for their internet 
password when they try to visit external sites linked from the portal. 
Websphere is already using the Domino LDAP for user authentication, so I 
figured that getting the 2 apps authenticating from the same place is a 
good start.


Please find below the relevent pieces of my current squid.conf, if anyone 
could shed any light as to what I'm doing incorrectly here, it would be 
greatly appreciated.



--

#  TAG: auth_param

auth_param basic program /usr/lib/squid/squid_ldap_auth -b  -f uid=%s 
xx.xx.xx.xx

--
#  TAG: external_acl_type

external_acl_type inetusers %LOGIN /usr/lib/squid/squid_ldap_group -b  
-f ((cn=%g)(objectClass=groupOfNames)(member=%u)) -F 
((uid=%s)(objectClass=Person)) xx.xx.xx.xx

--
#  TAG: acl

acl ldap_password proxy_auth required
acl inet_users external inetusers ProxyUsers
--
#  TAG: http_access

http_access allow inet_users
http_access allow localhost
http_access deny all
--

I hope that this is enough information to show what it is that I am doing, 
I'm pretty sure those are all the relevent bits. Note that without the 
external ACL, the authentication works perfectly. I would like to restrict 
access to members of the LDAP group ProxyUsers.


I look forward to any assistance.

Regards,

Chris Mitchell

Re: [squid-users] Squid - Domino LDAP Auth (and a little Websphere SSO)

[Amos Jeffries]

 Greetings,

 Have a bit of a problem trying to get Squid authentication working against
 a Lotus Domino LDAP directory. The actual authentication part is OK, if I
 want everyone in my Domino directory to have access through Squid it is
 not a problem, the real issue arises when I try to filter it based on
 group membership.

 I have been through all the past mailing list articles in regards to this
 topic, and I've tried a whole bunch of different things, and I'm not
 having any luck (my LDAP skills are weak)

 Taking a step back, what I'm actually trying to acheive here is single
 sign on between IBM Websphere Portal 6.0 and Squid (2.5.STABLE3), so that

Step 1) upgrade your squid to latest release. 2.5 is way obsolete.

 after my users sign on to Portal, they are not prompted for their internet
 password when they try to visit external sites linked from the portal.
 Websphere is already using the Domino LDAP for user authentication, so I
 figured that getting the 2 apps authenticating from the same place is a
 good start.

 Please find below the relevent pieces of my current squid.conf, if anyone
 could shed any light as to what I'm doing incorrectly here, it would be
 greatly appreciated.


 --

 #  TAG: auth_param

 auth_param basic program /usr/lib/squid/squid_ldap_auth -b  -f uid=%s
 xx.xx.xx.xx
 --
 #  TAG: external_acl_type

 external_acl_type inetusers %LOGIN /usr/lib/squid/squid_ldap_group -b 
 -f ((cn=%g)(objectClass=groupOfNames)(member=%u)) -F
 ((uid=%s)(objectClass=Person)) xx.xx.xx.xx
 --
 #  TAG: acl

 acl ldap_password proxy_auth required
 acl inet_users external inetusers ProxyUsers
 --
 #  TAG: http_access

 http_access allow inet_users
 http_access allow localhost
 http_access deny all
 --

 I hope that this is enough information to show what it is that I am doing,
 I'm pretty sure those are all the relevent bits. Note that without the
 external ACL, the authentication works perfectly. I would like to restrict
 access to members of the LDAP group ProxyUsers.

 I look forward to any assistance.

 Regards,

 Chris Mitchell

Re: [squid-users] Squid - Domino LDAP Auth (and a little Websphere SSO)

[Chris Mitchell]

Happy to do it if it'll make this exercise easier, any particular reason 
why ?


Regards,

Chris Mitchell

On Fri, 30 Nov 2007, Amos Jeffries wrote:



Greetings,

Have a bit of a problem trying to get Squid authentication working against
a Lotus Domino LDAP directory. The actual authentication part is OK, if I
want everyone in my Domino directory to have access through Squid it is
not a problem, the real issue arises when I try to filter it based on
group membership.

I have been through all the past mailing list articles in regards to this
topic, and I've tried a whole bunch of different things, and I'm not
having any luck (my LDAP skills are weak)

Taking a step back, what I'm actually trying to acheive here is single
sign on between IBM Websphere Portal 6.0 and Squid (2.5.STABLE3), so that


Step 1) upgrade your squid to latest release. 2.5 is way obsolete.


after my users sign on to Portal, they are not prompted for their internet
password when they try to visit external sites linked from the portal.
Websphere is already using the Domino LDAP for user authentication, so I
figured that getting the 2 apps authenticating from the same place is a
good start.

Please find below the relevent pieces of my current squid.conf, if anyone
could shed any light as to what I'm doing incorrectly here, it would be
greatly appreciated.


--

#  TAG: auth_param

auth_param basic program /usr/lib/squid/squid_ldap_auth -b  -f uid=%s
xx.xx.xx.xx
--
#  TAG: external_acl_type

external_acl_type inetusers %LOGIN /usr/lib/squid/squid_ldap_group -b 
-f ((cn=%g)(objectClass=groupOfNames)(member=%u)) -F
((uid=%s)(objectClass=Person)) xx.xx.xx.xx
--
#  TAG: acl

acl ldap_password proxy_auth required
acl inet_users external inetusers ProxyUsers
--
#  TAG: http_access

http_access allow inet_users
http_access allow localhost
http_access deny all
--

I hope that this is enough information to show what it is that I am doing,
I'm pretty sure those are all the relevent bits. Note that without the
external ACL, the authentication works perfectly. I would like to restrict
access to members of the LDAP group ProxyUsers.

I look forward to any assistance.

Regards,

Chris Mitchell

Re: [squid-users] Squid - Domino LDAP Auth (and a little Websphere SSO)

[Amos Jeffries]

 Happy to do it if it'll make this exercise easier, any particular reason
 why ?

I already mentioned 2.5 being obsolete. Support, Security, Speed,
Stability, Simplicity for a few more.

 - Most of the people you will find providing support do so for 2.6/3.0 now.

 - There are large known security holes in 2.5 and early 2.6's.

 - There has been a lot more work done on bugfixing, speed, memory, and
disk usage optimisations across the 2.6 lifecycle.

 - The 2.6 has also had a fair bit of work done making the squid.conf more
usable. And the official config examples are now only provided in
2.6/3.0. Though its not entirely there yet.

Making the later 2.6 squid a better proposition than 2.5.


Amos



 Regards,

 Chris Mitchell

 On Fri, 30 Nov 2007, Amos Jeffries wrote:


 Greetings,

 Have a bit of a problem trying to get Squid authentication working
 against
 a Lotus Domino LDAP directory. The actual authentication part is OK, if
 I
 want everyone in my Domino directory to have access through Squid it is
 not a problem, the real issue arises when I try to filter it based on
 group membership.

 I have been through all the past mailing list articles in regards to
 this
 topic, and I've tried a whole bunch of different things, and I'm not
 having any luck (my LDAP skills are weak)

 Taking a step back, what I'm actually trying to acheive here is single
 sign on between IBM Websphere Portal 6.0 and Squid (2.5.STABLE3), so
 that

 Step 1) upgrade your squid to latest release. 2.5 is way obsolete.

 after my users sign on to Portal, they are not prompted for their
 internet
 password when they try to visit external sites linked from the portal.
 Websphere is already using the Domino LDAP for user authentication, so
 I
 figured that getting the 2 apps authenticating from the same place is a
 good start.

 Please find below the relevent pieces of my current squid.conf, if
 anyone
 could shed any light as to what I'm doing incorrectly here, it would be
 greatly appreciated.


 --

 #  TAG: auth_param

 auth_param basic program /usr/lib/squid/squid_ldap_auth -b  -f uid=%s
 xx.xx.xx.xx
 --
 #  TAG: external_acl_type

 external_acl_type inetusers %LOGIN /usr/lib/squid/squid_ldap_group -b
 
 -f ((cn=%g)(objectClass=groupOfNames)(member=%u)) -F
 ((uid=%s)(objectClass=Person)) xx.xx.xx.xx
 --
 #  TAG: acl

 acl ldap_password proxy_auth required
 acl inet_users external inetusers ProxyUsers
 --
 #  TAG: http_access

 http_access allow inet_users
 http_access allow localhost
 http_access deny all
 --

 I hope that this is enough information to show what it is that I am
 doing,
 I'm pretty sure those are all the relevent bits. Note that without the
 external ACL, the authentication works perfectly. I would like to
 restrict
 access to members of the LDAP group ProxyUsers.

 I look forward to any assistance.

 Regards,

 Chris Mitchell

[squid-users] Squid+Solaris10+LDAP helpers --- make all problem

[Fabio Scardellato]

Hi
I have a blocking problem with the combination in subject.
I need to run Squid in a Solaris 10 zone with basic auth on ldap dir. server.
Actually my platform is sun fire x2200 (Amd 64) and Solaris 10 11/06
with the last patch cluster just applied.

I just installed from solaris official packages openldap-lib, gcc,
gcc-runtime-libs, ecc ecc.
and the source of squid come from the solaris companion cd (formally
squid-2.5.STABLE7)


My ./configure is

bash-3.00# ./configure --prefix=/opt/products/squidOK
--enable-storeio=null --enable-auth=basic
--enable-basic-auth-helpers=LDAP
--enable-external-acl-helpers=ldap_group

the output gone ok.. and then i run an

bash-3.00# make all

so it work for some seconds and then it exit with this output:

Making all in icons
Making all in errors
Making all in doc
Making all in helpers
Making all in basic_auth
Making all in LDAP
source='squid_ldap_auth.c' object='squid_ldap_auth.o' libtool=no \
depfile='.deps/squid_ldap_auth.Po' tmpdepfile='.deps/squid_ldap_auth.TPo' \
depmode=gcc3 /bin/sh ../../../cfgaux/depcomp \
gcc -DHAVE_CONFIG_H -I. -I. -I../../../include -I../../../include -g
-Wall -c `test -f squid_ldap_auth.c || echo './'`squid_ldap_auth.c
squid_ldap_auth.c: In function `open_ldap_connection':
squid_ldap_auth.c:248: error: `LDAP_OPT_SUCCESS' undeclared (first use
in this function)
squid_ldap_auth.c:248: error: (Each undeclared identifier is reported only once
squid_ldap_auth.c:248: error: for each function it appears in.)
squid_ldap_auth.c:253: warning: implicit declaration of function
`ldap_start_tls_s'
*** Error code 1
make: Fatal error: Command failed for target `squid_ldap_auth.o'
Current working directory /opt/sfw/src/squid-
2.5.STABLE7/helpers/basic_auth/LDAP
*** Error code 1
The following command caused the error:
set fnord ; amf=$2; \
dot_seen=no; \
target=`echo all-recursive | sed s/-recursive//`; \
list='LDAP'; for subdir in $list; do \
echo Making $target in $subdir; \
if test $subdir = .; then \
dot_seen=yes; \
local_target=$target-am; \
else \
local_target=$target; \
fi; \
(cd $subdir  make $local_target) \
|| case $amf in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
done; \
if test $dot_seen = no; then \
make $target-am || exit 1; \
fi; test -z $fail
make: Fatal error: Command failed for target `all-recursive'
Current working directory /opt/sfw/src/squid-2.5.STABLE7/helpers/basic_auth
*** Error code 1
The following command caused the error:
set fnord ; amf=$2; \
dot_seen=no; \
target=`echo all-recursive | sed s/-recursive//`; \
list='basic_auth ntlm_auth digest_auth external_acl'; for subdir in $list; do \
echo Making $target in $subdir; \
if test $subdir = .; then \
dot_seen=yes; \
local_target=$target-am; \
else \
local_target=$target; \
fi; \
(cd $subdir  make $local_target) \
|| case $amf in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
done; \
if test $dot_seen = no; then \
make $target-am || exit 1; \
fi; test -z $fail
make: Fatal error: Command failed for target `all-recursive'
Current working directory /opt/sfw/src/squid-2.5.STABLE7/helpers
*** Error code 1
The following command caused the error:
set fnord ; amf=$2; \
dot_seen=no; \
target=`echo all-recursive | sed s/-recursive//`; \
list='lib scripts src icons errors doc helpers'; for subdir in $list; do \
echo Making $target in $subdir; \
if test $subdir = .; then \
dot_seen=yes; \
local_target=$target-am; \
else \
local_target=$target; \
fi; \
(cd $subdir  make $local_target) \
|| case $amf in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
done; \
if test $dot_seen = no; then \
make $target-am || exit 1; \
fi; test -z $fail
make: Fatal error: Command failed for target `all-recursive'
bash-3.00#

Any Idea??

A lot of thanks for any useful suggest.

Fabio

Re: [squid-users] Squid+Solaris10+LDAP helpers --- make all problem

[Amos Jeffries]

Fabio Scardellato wrote:

Hi
I have a blocking problem with the combination in subject.
I need to run Squid in a Solaris 10 zone with basic auth on ldap dir. 
server.

Actually my platform is sun fire x2200 (Amd 64) and Solaris 10 11/06
with the last patch cluster just applied.

I just installed from solaris official packages openldap-lib, gcc,
gcc-runtime-libs, ecc ecc.
and the source of squid come from the solaris companion cd (formally
squid-2.5.STABLE7)


snip build errors


Any Idea??

A lot of thanks for any useful suggest.

Fabio


The dev team no longer supports anything beyond security bugs in 2.5.
Since you are building from source you are in a good place to grab one 
of the currently supported squid versions (2.6 or 3.0). We are more than 
happy to assist with build errors in those, for any OS.


Amos

Re: [squid-users] Squid Authentication + ldap/samba

[Henrik Nordstrom]

fre 2007-05-11 klockan 11:30 +0100 skrev Duarte Lázaro:

 But in NTLM i cannot ( i think ) restrict a user by an attribute, if  
 the user gets authenticated he has net.

You can. But it's two different things. Don't mix up authentication and
authorization.

The purpose of authentication is solely to verify the identity of the
user. You then use this identity in authorization to grant or deny
access.

authentication is done by auth_param settings, and triggered by acls
based on the user name.

authorization is done by http_access, by using acls matching users and
what they are allowed to do.


 Basic/Digest (squid_ldap_auth/group) are more flexible, because u can 
 use a filter and restrict by attribute.The problem is that browsers are 
 always prompting for password allthought the password can  be stored.

You can still use squid_ldap_group with NTLM if you run a Windows Active
Directory.

Digest is a bit troublesome in that you can not use a user directory
backend, and must have a local digest password file on the proxy.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

[squid-users] Squid Authentication + ldap/samba

[Duarte Lázaro]

Hi there

I´m trying to set up squid whit authentication, but i would need it 
asking the user the credencials.


Allrdy set up an squid_ldap_auth but a login prompt comes, every time.

trying now with squid_ldap_group, but still nothing, from the Unix 
prompt i can authenticate a user whit some filter. where some info :


Squid.conf
---
*external_acl_type InetGroup %LOGIN 
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3


acl InetAccess external InetGroup 513
http_access allow InetAccess
---
*Ldap info
-
ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)

result :
# duarte, Users, pnp.com
dn: uid=duarte,ou=Users,dc=pnp,dc=com
objectClass: top
objectClass: person
...

sn: duarte
givenName: duarte
uid: duarte
uidNumber: 1002
gidNumber: 513
...

# numResponses: 2
# numEntries: 1
--
From the prompt on Unix :
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)) -v 3

duarte 513
OK


so my question is.. whit the browser not authenticating whit squid ?

Thanks in advance.

Re: [squid-users] Squid Authentication + ldap/samba

[Sergey A. Kobzar]

Hello Duarte,

If you want authenticate users from LDAP only, this configuration is
enough:

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
ou=People,dc=test,dc=com ldap.test.com
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
[skipped]
acl ldap_users proxy_auth REQUIRED
[skipped]
http_access allow ldap_users


Thursday, May 10, 2007, 1:17:34 PM, you wrote:

 Hi there

 I´m trying to set up squid whit authentication, but i would need it 
 asking the user the credencials.

 Allrdy set up an squid_ldap_auth but a login prompt comes, every time.

 trying now with squid_ldap_group, but still nothing, from the Unix 
 prompt i can authenticate a user whit some filter. where some info :

 Squid.conf
 ---
 *external_acl_type InetGroup %LOGIN 
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3

 acl InetAccess external InetGroup 513
 http_access allow InetAccess
 ---
 *Ldap info
 -
 ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)

 result :
 # duarte, Users, pnp.com
 dn: uid=duarte,ou=Users,dc=pnp,dc=com
 objectClass: top
 objectClass: person
 ...

 sn: duarte
 givenName: duarte
 uid: duarte
 uidNumber: 1002
 gidNumber: 513
 ...

 # numResponses: 2
 # numEntries: 1
 --
  From the prompt on Unix :
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)) -v 3
 duarte 513
 OK


 so my question is.. whit the browser not authenticating whit squid ?

 Thanks in advance.








-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

Re: [squid-users] Squid Authentication + ldap/samba

[Duarte Lázaro]

Hi,

i really wanna is to authenticated on ldap, but the browser not to show 
a pop-up,

it's possible? samba ( maybe ntlm ?)

what does the [skipped], does ?

thanks

Sergey A. Kobzar wrote:

Hello Duarte,

If you want authenticate users from LDAP only, this configuration is
enough:

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
ou=People,dc=test,dc=com ldap.test.com
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
[skipped]
acl ldap_users proxy_auth REQUIRED
[skipped]
http_access allow ldap_users


Thursday, May 10, 2007, 1:17:34 PM, you wrote:

  

Hi there



  
I´m trying to set up squid whit authentication, but i would need it 
asking the user the credencials.



  

Allrdy set up an squid_ldap_auth but a login prompt comes, every time.



  
trying now with squid_ldap_group, but still nothing, from the Unix 
prompt i can authenticate a user whit some filter. where some info :



  

Squid.conf
---
*external_acl_type InetGroup %LOGIN 
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3



  

acl InetAccess external InetGroup 513
http_access allow InetAccess
---
*Ldap info
-
ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)



  

result :
# duarte, Users, pnp.com
dn: uid=duarte,ou=Users,dc=pnp,dc=com
objectClass: top
objectClass: person
...



  

sn: duarte
givenName: duarte
uid: duarte
uidNumber: 1002
gidNumber: 513
...



  

# numResponses: 2
# numEntries: 1
--
 From the prompt on Unix :
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)) -v 3

duarte 513
OK




  

so my question is.. whit the browser not authenticating whit squid ?



  

Thanks in advance.










  

Re[2]: [squid-users] Squid Authentication + ldap/samba

[Sergey A. Kobzar]

Hello Duarte,

Thursday, May 10, 2007, 2:09:05 PM, you wrote:

 Hi,

 i really wanna is to authenticated on ldap, but the browser not to show
 a pop-up,
  it's possible? samba ( maybe ntlm ?)

I gave you working configuration. Just forgot about -v 3 option. :)

 what does the [skipped], does ?

Line from standard Squid's config.

Show
tail -f /path/to/squid.conf
tail -f /path/to/slapd.conf

?

 thanks

 Sergey A. Kobzar wrote:
 Hello Duarte,

 If you want authenticate users from LDAP only, this configuration is
 enough:

 auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
 ou=People,dc=test,dc=com ldap.test.com
 auth_param basic children 5
 auth_param basic realm Squid proxy-caching web server
 [skipped]
 acl ldap_users proxy_auth REQUIRED
 [skipped]
 http_access allow ldap_users


 Thursday, May 10, 2007, 1:17:34 PM, you wrote:

   
 Hi there
 

   
 I´m trying to set up squid whit authentication, but i would need it 
 asking the user the credencials.
 

   
 Allrdy set up an squid_ldap_auth but a login prompt comes, every time.
 

   
 trying now with squid_ldap_group, but still nothing, from the Unix 
 prompt i can authenticate a user whit some filter. where some info :
 

   
 Squid.conf
 ---
 *external_acl_type InetGroup %LOGIN 
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3
 

   
 acl InetAccess external InetGroup 513
 http_access allow InetAccess
 ---
 *Ldap info
 -
 ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)
 

   
 result :
 # duarte, Users, pnp.com
 dn: uid=duarte,ou=Users,dc=pnp,dc=com
 objectClass: top
 objectClass: person
 ...
 

   
 sn: duarte
 givenName: duarte
 uid: duarte
 uidNumber: 1002
 gidNumber: 513
 ...
 

   
 # numResponses: 2
 # numEntries: 1
 --
  From the prompt on Unix :
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)) -v 3
 duarte 513
 OK
 


   
 so my question is.. whit the browser not authenticating whit squid ?
 

   
 Thanks in advance.
 








   



-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

Re: [squid-users] Squid Authentication + ldap/samba

[Duarte Lázaro]

Ok, i think i´m not explaining so good.

I have allready squid authentication, what i need is that the browser 
does not show the prompt just get the credencials whitout prompting the 
user, for example me user is part of a domain só thé get the user from 
the computer and the user would not have the need to type it, is there 
any way ?


Sergey A. Kobzar wrote:

Hello Duarte,

Thursday, May 10, 2007, 2:09:05 PM, you wrote:

  

Hi,



  

i really wanna is to authenticated on ldap, but the browser not to show
a pop-up,
 it's possible? samba ( maybe ntlm ?)



I gave you working configuration. Just forgot about -v 3 option. :)

  

what does the [skipped], does ?



Line from standard Squid's config.

Show
tail -f /path/to/squid.conf
tail -f /path/to/slapd.conf

?

  

thanks



  

Sergey A. Kobzar wrote:


Hello Duarte,

If you want authenticate users from LDAP only, this configuration is
enough:

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
ou=People,dc=test,dc=com ldap.test.com
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
[skipped]
acl ldap_users proxy_auth REQUIRED
[skipped]
http_access allow ldap_users


Thursday, May 10, 2007, 1:17:34 PM, you wrote:

  
  

Hi there


  
  
I´m trying to set up squid whit authentication, but i would need it 
asking the user the credencials.


  
  

Allrdy set up an squid_ldap_auth but a login prompt comes, every time.


  
  
trying now with squid_ldap_group, but still nothing, from the Unix 
prompt i can authenticate a user whit some filter. where some info :


  
  

Squid.conf
---
*external_acl_type InetGroup %LOGIN 
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3


  
  

acl InetAccess external InetGroup 513
http_access allow InetAccess
---
*Ldap info
-
ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)


  
  

result :
# duarte, Users, pnp.com
dn: uid=duarte,ou=Users,dc=pnp,dc=com
objectClass: top
objectClass: person
...


  
  

sn: duarte
givenName: duarte
uid: duarte
uidNumber: 1002
gidNumber: 513
...


  
  

# numResponses: 2
# numEntries: 1
--
 From the prompt on Unix :
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)) -v 3

duarte 513
OK


  
  

so my question is.. whit the browser not authenticating whit squid ?


  
  

Thanks in advance.









  
  




  

Re[2]: [squid-users] Squid Authentication + ldap/samba

[Sergey A. Kobzar]

Hello Duarte,

Many browsers have option to save username and passwd ;)

Thursday, May 10, 2007, 2:30:40 PM, you wrote:

 Ok, i think i´m not explaining so good.

 I have allready squid authentication, what i need is that the browser 
 does not show the prompt just get the credencials whitout prompting the
 user, for example me user is part of a domain só thé get the user from
 the computer and the user would not have the need to type it, is there
 any way ?

 Sergey A. Kobzar wrote:
 Hello Duarte,

 Thursday, May 10, 2007, 2:09:05 PM, you wrote:

   
 Hi,
 

   
 i really wanna is to authenticated on ldap, but the browser not to show
 a pop-up,
  it's possible? samba ( maybe ntlm ?)
 

 I gave you working configuration. Just forgot about -v 3 option. :)

   
 what does the [skipped], does ?
 

 Line from standard Squid's config.

 Show
 tail -f /path/to/squid.conf
 tail -f /path/to/slapd.conf

 ?

   
 thanks
 

   
 Sergey A. Kobzar wrote:
 
 Hello Duarte,

 If you want authenticate users from LDAP only, this configuration is
 enough:

 auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
 ou=People,dc=test,dc=com ldap.test.com
 auth_param basic children 5
 auth_param basic realm Squid proxy-caching web server
 [skipped]
 acl ldap_users proxy_auth REQUIRED
 [skipped]
 http_access allow ldap_users


 Thursday, May 10, 2007, 1:17:34 PM, you wrote:

   
   
 Hi there
 
 
   
   
 I´m trying to set up squid whit authentication, but i would need it 
 asking the user the credencials.
 
 
   
   
 Allrdy set up an squid_ldap_auth but a login prompt comes, every time.
 
 
   
   
 trying now with squid_ldap_group, but still nothing, from the Unix 
 prompt i can authenticate a user whit some filter. where some info :
 
 
   
   
 Squid.conf
 ---
 *external_acl_type InetGroup %LOGIN 
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3
 
 
   
   
 acl InetAccess external InetGroup 513
 http_access allow InetAccess
 ---
 *Ldap info
 -
 ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)
 
 
   
   
 result :
 # duarte, Users, pnp.com
 dn: uid=duarte,ou=Users,dc=pnp,dc=com
 objectClass: top
 objectClass: person
 ...
 
 
   
   
 sn: duarte
 givenName: duarte
 uid: duarte
 uidNumber: 1002
 gidNumber: 513
 ...
 
 
   
   
 # numResponses: 2
 # numEntries: 1
 --
  From the prompt on Unix :
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)) -v 3
 duarte 513
 OK
 
 
   
   
 so my question is.. whit the browser not authenticating whit squid ?
 
 
   
   
 Thanks in advance.

-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

Re[2]: [squid-users] Squid Authentication + ldap/samba

[Sergey A. Kobzar]

Hello Duarte,

Many browsers have option to save username and passwd ;)

Thursday, May 10, 2007, 2:30:40 PM, you wrote:

 Ok, i think i´m not explaining so good.

 I have allready squid authentication, what i need is that the browser 
 does not show the prompt just get the credencials whitout prompting the
 user, for example me user is part of a domain só thé get the user from
 the computer and the user would not have the need to type it, is there
 any way ?

 Sergey A. Kobzar wrote:
 Hello Duarte,

 Thursday, May 10, 2007, 2:09:05 PM, you wrote:

   
 Hi,
 

   
 i really wanna is to authenticated on ldap, but the browser not to show
 a pop-up,
  it's possible? samba ( maybe ntlm ?)
 

 I gave you working configuration. Just forgot about -v 3 option. :)

   
 what does the [skipped], does ?
 

 Line from standard Squid's config.

 Show
 tail -f /path/to/squid.conf
 tail -f /path/to/slapd.conf

 ?

   
 thanks
 

   
 Sergey A. Kobzar wrote:
 
 Hello Duarte,

 If you want authenticate users from LDAP only, this configuration is
 enough:

 auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
 ou=People,dc=test,dc=com ldap.test.com
 auth_param basic children 5
 auth_param basic realm Squid proxy-caching web server
 [skipped]
 acl ldap_users proxy_auth REQUIRED
 [skipped]
 http_access allow ldap_users


 Thursday, May 10, 2007, 1:17:34 PM, you wrote:

   
   
 Hi there
 
 
   
   
 I´m trying to set up squid whit authentication, but i would need it 
 asking the user the credencials.
 
 
   
   
 Allrdy set up an squid_ldap_auth but a login prompt comes, every time.
 
 
   
   
 trying now with squid_ldap_group, but still nothing, from the Unix 
 prompt i can authenticate a user whit some filter. where some info :
 
 
   
   
 Squid.conf
 ---
 *external_acl_type InetGroup %LOGIN 
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3
 
 
   
   
 acl InetAccess external InetGroup 513
 http_access allow InetAccess
 ---
 *Ldap info
 -
 ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)
 
 
   
   
 result :
 # duarte, Users, pnp.com
 dn: uid=duarte,ou=Users,dc=pnp,dc=com
 objectClass: top
 objectClass: person
 ...
 
 
   
   
 sn: duarte
 givenName: duarte
 uid: duarte
 uidNumber: 1002
 gidNumber: 513
 ...
 
 
   
   
 # numResponses: 2
 # numEntries: 1
 --
  From the prompt on Unix :
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)) -v 3
 duarte 513
 OK
 
 
   
   
 so my question is.. whit the browser not authenticating whit squid ?
 
 
   
   
 Thanks in advance.

-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

Re: [squid-users] Squid Authentication + ldap/samba

[Duarte Lázaro]

Hi, Sergey

I know that, but for example in IE ou Firefox the prompt still open , 
although the password is saved, my question is if there is some way that 
the prompt ( although the password is save ) is not shown.


Dny way thanks for the tips.

Sergey A. Kobzar wrote:

Hello Duarte,

Many browsers have option to save username and passwd ;)

Thursday, May 10, 2007, 2:30:40 PM, you wrote:

  

Ok, i think i´m not explaining so good.



  
I have allready squid authentication, what i need is that the browser 
does not show the prompt just get the credencials whitout prompting the

user, for example me user is part of a domain só thé get the user from
the computer and the user would not have the need to type it, is there
any way ?



  

Sergey A. Kobzar wrote:


Hello Duarte,

Thursday, May 10, 2007, 2:09:05 PM, you wrote:

  
  

Hi,


  
  

i really wanna is to authenticated on ldap, but the browser not to show
a pop-up,
 it's possible? samba ( maybe ntlm ?)



I gave you working configuration. Just forgot about -v 3 option. :)

  
  

what does the [skipped], does ?



Line from standard Squid's config.

Show
tail -f /path/to/squid.conf
tail -f /path/to/slapd.conf

?

  
  

thanks


  
  

Sergey A. Kobzar wrote:



Hello Duarte,

If you want authenticate users from LDAP only, this configuration is
enough:

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
ou=People,dc=test,dc=com ldap.test.com
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
[skipped]
acl ldap_users proxy_auth REQUIRED
[skipped]
http_access allow ldap_users


Thursday, May 10, 2007, 1:17:34 PM, you wrote:

  
  
  

Hi there



  
  
  
I´m trying to set up squid whit authentication, but i would need it 
asking the user the credencials.



  
  
  

Allrdy set up an squid_ldap_auth but a login prompt comes, every time.



  
  
  
trying now with squid_ldap_group, but still nothing, from the Unix 
prompt i can authenticate a user whit some filter. where some info :



  
  
  

Squid.conf
---
*external_acl_type InetGroup %LOGIN 
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3



  
  
  

acl InetAccess external InetGroup 513
http_access allow InetAccess
---
*Ldap info
-
ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)



  
  
  

result :
# duarte, Users, pnp.com
dn: uid=duarte,ou=Users,dc=pnp,dc=com
objectClass: top
objectClass: person
...



  
  
  

sn: duarte
givenName: duarte
uid: duarte
uidNumber: 1002
gidNumber: 513
...



  
  
  

# numResponses: 2
# numEntries: 1
--
 From the prompt on Unix :
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)) -v 3

duarte 513
OK



  
  
  

so my question is.. whit the browser not authenticating whit squid ?



  
  
  

Thanks in advance.



  

Re: [squid-users] Squid Authentication + ldap/samba

[Felipe Augusto van de Wiel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/10/2007 08:44 AM, Duarte Lázaro wrote:
 Hi, Sergey
 
 I know that, but for example in IE ou Firefox the prompt 
 still open , although the password is saved, my question
 is if there is some way that the prompt ( although the
 password is save ) is not shown.

Yes, there is. A single sign-on solution, like
Kerberos, *but*, not sure about how squid will integrate
that, AFAIK thru ntlm auth.

Searching for Single Sign-On (also know as SSO)
you will find some good information and posts on the mail
list about the subject. Good luck and don't forge to
add more information on this thread if you find something
interesting. :-)

Kind regards,
- --
Felipe Augusto van de Wiel [EMAIL PROTECTED]
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGQxpHCj65ZxU4gPQRAmF6AJ4xCeiN9llH+kCD5d6UrMDs7hknGQCgxUhd
F0390uTpA7JcO+y29GvkN/s=
=1H9E
-END PGP SIGNATURE-

Re: [squid-users] Squid Authentication + ldap/samba

[Henrik Nordstrom]

tor 2007-05-10 klockan 12:09 +0100 skrev Duarte Lázaro:

 i really wanna is to authenticated on ldap, but the browser not to show 
 a pop-up,
  it's possible? samba ( maybe ntlm ?)

This depends entirely on browser support and which scheme you are using.

Few if browsers support fully saved proxy passwords when using the Basic
or Digest authentication schemes. Most asks the user once before sending
the password to the proxy.

Most browsers supporting NTLM authentication do this automatically on
Windows stations logged on to a domain, but using NTLM requires a NTLM
capable authentication backend such as Samba connected to the Windows
domain, LDAP can not be used.

But you can use LDAP to check group membership using squid_ldap_group
even if using NTLM via Samba for authentication.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

[squid-users] Squid and LDAP authentication

[Hubert Asior]

I have squid authenticating against an LDAP directory server both running on 
Redhat
Enterprise AS 4.

I have installed chpasswd.cgi so that my users can change their own passwords.

The problem I have is that the chpasswd.conf file has an option   password_file 
  which
is where it expects to find the password to be changed. I do not know how to 
configure
chpasswd to change the LDAP password.

If anyone has solved this problem or knows of any other way I can achieve my 
aim, please
let me know since my users want to change the default passwords I have assigned 
to them.

Thanks

Re: [squid-users] Squid and LDAP authentication

[Henrik Nordstrom]

fre 2007-01-12 klockan 19:57 + skrev Hubert Asior:

 The problem I have is that the chpasswd.conf file has an option   
 password_file   which
 is where it expects to find the password to be changed. I do not know how to 
 configure
 chpasswd to change the LDAP password.

You need another password changing program, one designed for LDAP. If
you search a little you should find plenty.. It's not really related to
Squid, just web forms / cgi interfacing to LDAP.

chpasswd.cgi is designed for NCSA style password files alone.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

[squid-users] squid against ldap (again)

[sara gonzalez]

Hi,

I want to do the authentication without the authentication dialog. So to 
say, the authenticacion will be transparent for the user... is possible???


Thx,

Sara

_
Acepta el reto MSN Premium: Protección para tus hijos en internet. 
Descárgalo y pruébalo 2 meses gratis. 
http://join.msn.com?XAPID=1697DI=1055HL=Footer_mailsenviados_proteccioninfantil

Re: [squid-users] squid against ldap (again)

[Christoph Haas]

On Friday 20 October 2006 09:39, sara gonzalez wrote:
 I want to do the authentication without the authentication dialog. So to
 say, the authenticacion will be transparent for the user... is
 possible???

Transparent proxying and authentication don't go together with LDAP. It 
works with NTLM though. Or you use IDENT authentication (and think hard 
about the security it delivers).

 Christoph

Re: [squid-users] squid with ldap authentication

[VAIBHAV NALDURGKAR]

Hi,

After configuring squid with LDAP support it always pop up the user
name and  pssword window for authentication but if you configured
squid with NTLM support the authentication will be transparent to the
users.


Regards,


Vaibhav

On 5/2/06, Om [EMAIL PROTECTED] wrote:

Hi Friends,
Currently i am using ip address based acls to provide internet access to
the users in my company.
Recently we have installed LDAP-V 3.
Now I would like to provide internet access based on the LDAP-
authentication.
Can anybody suggest me how to go about it.

Thanks,
Om.

Re: [squid-users] squid with ldap authentication

[Om]

Hi Vaibhav,
Thanks for your mail.
If you have configured squid with LDAP authentication,
can you provide me any resources for that.

Thanks,
Omprakash,
Effigent India Pvt Ltd,
Hyderabad.
VAIBHAV NALDURGKAR wrote:

Hi,

After configuring squid with LDAP support it always pop up the user
name and  pssword window for authentication but if you configured
squid with NTLM support the authentication will be transparent to the
users.


Regards,


Vaibhav

On 5/2/06, Om [EMAIL PROTECTED] wrote:

Hi Friends,
Currently i am using ip address based acls to provide internet access to
the users in my company.
Recently we have installed LDAP-V 3.
Now I would like to provide internet access based on the LDAP-
authentication.
Can anybody suggest me how to go about it.

Thanks,
Om.

Re: [squid-users] squid with ldap authentication

[Om]

Thank you very much Yong,
I will try this and let you know the result.
Thanks for your support.

Thanks,
Om.

Yong Bong Fong wrote:

Hi there,

 Heres how I configure my ldap-squid authentication:

1) Make sure you have squid_ldap_auth support for your squid
2) In squid.conf configure your auth_param as below:

auth_param basic program /usr/lib/squid/squid_ldap_auth -b 
cn=root,dc=apple,dc=com  -D uid=admin,cn=root,dc=apple,dc=com -w 
youradminpassword -f uid=%s -h your_ldap_host_ip



Where cn=root,dc=apple,dc=com is your ldap base dn  
uid=admin,cn=root,dc=apple,dc=com is one of your ldap created account


3) At your acl in squid.conf add a line:

acl password proxy_auth REQUIRED

4) At your http_access section in squid.conf add this line:

http_access allow password (add it before http_access deny all)

Then restart your squid.

Good luck,


Om wrote:

Hi Vaibhav,
Thanks for your mail.
If you have configured squid with LDAP authentication,
can you provide me any resources for that.

Thanks,
Omprakash,
Effigent India Pvt Ltd,
Hyderabad.
VAIBHAV NALDURGKAR wrote:

Hi,

After configuring squid with LDAP support it always pop up the user
name and  pssword window for authentication but if you configured
squid with NTLM support the authentication will be transparent to the
users.


Regards,


Vaibhav

On 5/2/06, Om [EMAIL PROTECTED] wrote:

Hi Friends,
Currently i am using ip address based acls to provide internet 
access to

the users in my company.
Recently we have installed LDAP-V 3.
Now I would like to provide internet access based on the LDAP-
authentication.
Can anybody suggest me how to go about it.

Thanks,
Om.










--
Yong Bong Fong 
System Engineer

MIS Department
Shin Yang Group of Companies
Email: [EMAIL PROTECTED] 
Tel: (60)085-656699 Ext 376
Bekerja rajin untuk kemajuan negara kita 
  

Re: [squid-users] squid with ldap authentication

[VAIBHAV NALDURGKAR]

Here we go




Squid Authentication over LDAP (ADS 2003)


Software:
1.  Squid Cache: Version 2.5.STABLE1
Compiled with --enable-basic-auth-helpers=LDAP
2.  squid_ldap_auth (this program most of the time get installed with
installation of squid)
3.  An installed windows 2003 LDAP server



In order to get the LDAP authentication we need to have at least the
read privileges of a user to read the stuff from the LDAP server.  It
is also very required to know the search filter for the LDAP server.
In order to get the LDAP authentication functioning, one need to
update auth_param  parameter of /etc/squid/squid.conf file.

/etc/squid/squid.conf
--
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b
DC=xyz,DC=co,DC=in -D cn=binduserid,cn=users,dc=xyz,dc=co,dc=in -w
password  -f 
((|(objectCategory=group)(objectCategory=person))((sAMAccountName=%s)))
-h 192.168.x.x
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours



1. 192.168.x.x is the ip of LDAP server and
2. ((|(objectCategory=group)(objectCategory=person))((sAMAccountName=%s)))
 is search filter

Incase of any peer server one may use cache_peer  parameter to do the
forwarding. For e.g. If the main proxy is proxy.xyz.co.in than
cache_peer would be

cache_peer proxy.xyz.co.inparent80  3130 proxy-only





On 5/8/06, Om [EMAIL PROTECTED] wrote:

Hi Vaibhav,
Thanks for your mail.
If you have configured squid with LDAP authentication,
can you provide me any resources for that.

Thanks,
Omprakash,
Effigent India Pvt Ltd,
Hyderabad.
VAIBHAV NALDURGKAR wrote:
 Hi,

 After configuring squid with LDAP support it always pop up the user
 name and  pssword window for authentication but if you configured
 squid with NTLM support the authentication will be transparent to the
 users.


 Regards,


 Vaibhav

 On 5/2/06, Om [EMAIL PROTECTED] wrote:
 Hi Friends,
 Currently i am using ip address based acls to provide internet access to
 the users in my company.
 Recently we have installed LDAP-V 3.
 Now I would like to provide internet access based on the LDAP-
 authentication.
 Can anybody suggest me how to go about it.

 Thanks,
 Om.

Re: [squid-users] squid with ldap authentication

[Henrik Nordstrom]

tis 2006-05-02 klockan 15:25 +0530 skrev Om:
 Hi Friends,
 Currently i am using ip address based acls to provide internet access to 
 the users in my company.
 Recently we have installed LDAP-V 3.
 Now I would like to provide internet access based on the LDAP- 
 authentication.

See the squid_ldap_auth helper. Documentation included (man page).

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

[squid-users] squid with ldap authentication

[Om]

Hi Friends,
Currently i am using ip address based acls to provide internet access to 
the users in my company.

Recently we have installed LDAP-V 3.
Now I would like to provide internet access based on the LDAP- 
authentication.

Can anybody suggest me how to go about it.

Thanks,
Om.

Re: [squid-users] squid with ldap authentication

[Om]

Thank you very much friend.
The URL which you have sent has very good information.
This Document doesn't have necessary information about configuring squid 
with LDAP.

Still it has information about acls with authentication

Thanks,
Om.
[EMAIL PROTECTED] wrote:

http://www.comfsm.fm/computing/squid/FAQ-23.html

Quoting Om [EMAIL PROTECTED]:

  

Hi Friends,
Currently i am using ip address based acls to provide internet access to 
the users in my company.

Recently we have installed LDAP-V 3.
Now I would like to provide internet access based on the LDAP- 
authentication.

Can anybody suggest me how to go about it.

Thanks,
Om.







---
  



This message was sent using IMP, the Internet Messaging Program.


  

[squid-users] Squid and LDAP authentication

[Nolan Rumble]

Hi,

I'm trying to get LDAP authentication working on my squid proxy.  Now
ideally I would like to only allow users in a certain group (namely,
cn=squid,ou=Group,dc=ph,dc=sun,dc=ac,dc=za which is a groupOfUniqueNames
(does this work or must I use an objectClass=posixGroup?) to
authenticate and use the proxy.  How would I go about doing this?  I've
added the following lines to my squid.conf file:

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hour
auth_param basic casesensitive off
auth_param basic program /usr/lib/squid/squid_ldap_auth -b
ou=People,dc=ph,dc=sun,dc=ac,dc=za -f cn=squid -s sub
fsk.ph.sun.ac.za

external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -ZZ
-b ou=Group,dc=ph,dc=sun,dc=ac,dc=za -f
((objectclass=groupOfUniqueNames)(cn=%a)(uniqueMember=%v)) -B
ou=People,dc=ph,dc=sun,dc=ac,dc=za -F uid=%s fsk.ph.sun.ac.za

acl password proxy_auth REQUIRED
acl password_group external ldap_group squid
http_access allow password_group

Any help would be appreciated!

Thanks
Nolan

Re: [squid-users] Squid and LDAP authentication

[D E Radel]

Step by step:
http://kb.papercutsoftware.com/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory

D.Radel.

- Original Message - 
From: Nolan Rumble [EMAIL PROTECTED]

To: squid-users@squid-cache.org
Sent: Wednesday, January 04, 2006 10:01 PM
Subject: [squid-users] Squid and LDAP authentication


Hi,

I'm trying to get LDAP authentication working on my squid proxy.  Now
ideally I would like to only allow users in a certain group (namely,
cn=squid,ou=Group,dc=ph,dc=sun,dc=ac,dc=za which is a groupOfUniqueNames
(does this work or must I use an objectClass=posixGroup?) to
authenticate and use the proxy.  How would I go about doing this?  I've
added the following lines to my squid.conf file:

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hour
auth_param basic casesensitive off
auth_param basic program /usr/lib/squid/squid_ldap_auth -b
ou=People,dc=ph,dc=sun,dc=ac,dc=za -f cn=squid -s sub
fsk.ph.sun.ac.za

external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -ZZ
-b ou=Group,dc=ph,dc=sun,dc=ac,dc=za -f
((objectclass=groupOfUniqueNames)(cn=%a)(uniqueMember=%v)) -B
ou=People,dc=ph,dc=sun,dc=ac,dc=za -F uid=%s fsk.ph.sun.ac.za

acl password proxy_auth REQUIRED
acl password_group external ldap_group squid
http_access allow password_group

Any help would be appreciated!

Thanks
Nolan 

Re: [squid-users] SQUID and LDAP.

[Henrik Nordstrom]

On Mon, 30 May 2005, [ISO-8859-1] Ángel Prieto wrote:

Yeah, sure it's by typing them on my keyboard, but how do I say it logon with 
a user.


When I type i.e. user prueba1, it says ERR too.


/path/to_squid_ldap_auth arguments...
validusername validpassword
[OK]
validusername badpassword
[ERR]
badusername badpassword
[ERR]

If you do not get OK on a valid username  password then your 
configuration arguments are not correct for your LDAP directory. Most 
often the search filter is not suitable for finding the user object based 
on what you use as validusername.


Regards
Henrik

[squid-users] squid + LDaemon (LDAP)

[Hendro Susanto]

Hi,
 
 is anybody using a combination of Squid and LDaemon for LDAP ? (www.altn.com)
 or any free LDAP on windows ?
 TIA
 
 -hendro-

Re: [squid-users] squid + LDaemon (LDAP)

[Serassio Guido]

Hi,

At 15.02 02/06/2005, Hendro Susanto wrote:


Hi,

 is anybody using a combination of Squid and LDaemon for LDAP ? 
(www.altn.com)

 or any free LDAP on windows ?
 TIA


Like Active Directory ? :-)

You can use OpenLdap with Cygwin ore native: 
http://lucas.bergmans.us/hacks/openldap/


Regards

Guido



-

Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1   10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135  Fax. : +39.011.9781115
Email: [EMAIL PROTECTED]
WWW: http://www.acmeconsulting.it/

Re: [squid-users] SQUID and LDAP.

[Henrik Nordstrom]

Please keep discussion on the mailinglist.

On Mon, 30 May 2005, [ISO-8859-1] Ángel Prieto wrote:


And how i do provide them


By typing them on your keyboard.



Henrik Nordstrom wrote:




On Fri, 27 May 2005, [ISO-8859-1] Ángel Prieto wrote:


I get this now when I write:
[EMAIL PROTECTED] ~]# /usr/lib/squid/squid_ldap_auth -R -b 
dc=prueba,dc=com -D cn=root,ou=People,dc=prueba,dc=com -w hello -f 
sAMAccountName=%s -h 10.0.21.100


ERR



This is normal. A blank line is not a valid login.

After starting squid_ldap_auth you need to provide a loginname password as 
input.


Regards
Henrik



--
Angel Prieto
[EMAIL PROTECTED] SINERGIA TECNOLÓGICA
C/ Almirante Churruca

30007 Murcia
TEL.  968 270 624Fax. 968 231 501
www.sinergiatec.com
__

La información incluida en el presente correo electrónico es CONFIDENCIAL, 
siendo para el uso exclusivo del destinatario arriba mencionado. Si usted lee 
este mensaje y no es el destinatario señalado, el empleado o el agente 
responsable de entregar el mensaje al destinatario, o ha recibido esta 
comunicación por error, le informamos que está totalmente prohibida cualquier 
divulgación, distribución o reproducción de esta comunicación, y le rogamos 
que nos lo notifique, nos devuelva el mensaje original a la dirección arriba 
mencionada y borre el mensaje. Gracias.

__

Re: [squid-users] SQUID and LDAP.

[Ángel Prieto]

Yeah, sure it's by typing them on my keyboard, but how do I say it logon 
with a user.


When I type i.e. user prueba1, it says ERR too.

Henrik Nordstrom escribió:


Please keep discussion on the mailinglist.

On Mon, 30 May 2005, [ISO-8859-1] Ángel Prieto wrote:


And how i do provide them



By typing them on your keyboard.



Henrik Nordstrom wrote:




On Fri, 27 May 2005, [ISO-8859-1] Ángel Prieto wrote:


I get this now when I write:
[EMAIL PROTECTED] ~]# /usr/lib/squid/squid_ldap_auth -R -b 
dc=prueba,dc=com -D cn=root,ou=People,dc=prueba,dc=com -w 
hello -f sAMAccountName=%s -h 10.0.21.100


ERR




This is normal. A blank line is not a valid login.

After starting squid_ldap_auth you need to provide a loginname 
password as input.


Regards
Henrik




--
Angel Prieto
[EMAIL PROTECTED] SINERGIA TECNOLÓGICA
C/ Almirante Churruca

30007 Murcia
TEL.  968 270 624Fax. 968 231 501
www.sinergiatec.com
__

La información incluida en el presente correo electrónico es 
CONFIDENCIAL, siendo para el uso exclusivo del destinatario arriba 
mencionado. Si usted lee este mensaje y no es el destinatario 
señalado, el empleado o el agente responsable de entregar el mensaje 
al destinatario, o ha recibido esta comunicación por error, le 
informamos que está totalmente prohibida cualquier divulgación, 
distribución o reproducción de esta comunicación, y le rogamos que 
nos lo notifique, nos devuelva el mensaje original a la dirección 
arriba mencionada y borre el mensaje. Gracias.

__





--
Angel Prieto
[EMAIL PROTECTED] 
SINERGIA TECNOLÓGICA

C/ Almirante Churruca

30007 Murcia
TEL.  968 270 624Fax. 968 231 501
www.sinergiatec.com
__

La información incluida en el presente correo electrónico es CONFIDENCIAL, 
siendo para el uso exclusivo del destinatario arriba mencionado. Si usted lee 
este mensaje y no es el destinatario señalado, el empleado o el agente 
responsable de entregar el mensaje al destinatario, o ha recibido esta 
comunicación por error, le informamos que está totalmente prohibida cualquier 
divulgación, distribución o reproducción de esta comunicación, y le rogamos que 
nos lo notifique, nos devuelva el mensaje original a la dirección arriba 
mencionada y borre el mensaje. Gracias.
__

[squid-users] SQUID and LDAP.

[Ángel Prieto]

Hello, I've configured my squid to authenticate with ldap, but when 
browser prompt the user and password window i write it and get no 
answer, the squid access.log file shows it: 1116840548.325 6 10.0.20.113 
TCP_DENIED/407 1706 GET http://www.google.es/ pprueba3 NONE/- text/html


and when I write in shell this command # /usr/lib/squid/squid_ldap_auth 
-b ou=People,dc=prueba,dc=com 10.0.21.100

pprueba3
ERR

That is what i get.

Can you help me?
These are the options I have in squid.conf

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param basic program /usr/lib/squid/squid_ldap_auth -b 
ou=People,dc=prueba,dc=com 10.0.21.100

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl password proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow password
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 10.0.16.0/20
http_access allow our_networks
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all


coredump_dir /var/spool/squid


THANKS.

--
Angel Prieto
[EMAIL PROTECTED] 
SINERGIA TECNOLÓGICA

C/ Almirante Churruca

30007 Murcia
TEL.  968 270 624Fax. 968 231 501
www.sinergiatec.com
__

La información incluida en el presente correo electrónico es CONFIDENCIAL, 
siendo para el uso exclusivo del destinatario arriba mencionado. Si usted lee 
este mensaje y no es el destinatario señalado, el empleado o el agente 
responsable de entregar el mensaje al destinatario, o ha recibido esta 
comunicación por error, le informamos que está totalmente prohibida cualquier 
divulgación, distribución o reproducción de esta comunicación, y le rogamos que 
nos lo notifique, nos devuelva el mensaje original a la dirección arriba 
mencionada y borre el mensaje. Gracias.
__

Re: [squid-users] SQUID and LDAP.

[Babs]

Hi
Your ldap authentication statement is incomplete.
Please have a look at the examples and before you put
them into squid.conf, please make sure they are fine
by running them from a shell prompt as how you did and
you must get OK instead of ERR.
From your statement it#8217;s missing the -h option
and a binding user/password options too (if the ldap
server doesn#8217;t allow anonymous queries)
please have a look at the following examples

http://kb.papercutsoftware.com/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory

Regards
Babs

--- Ángel Prieto [EMAIL PROTECTED] wrote:

 Hello, I've configured my squid to authenticate with
 ldap, but when 
 browser prompt the user and password window i write
 it and get no 
 answer, the squid access.log file shows it:
 1116840548.325 6 10.0.20.113 
 TCP_DENIED/407 1706 GET http://www.google.es/
 pprueba3 NONE/- text/html
 
 and when I write in shell this command #
 /usr/lib/squid/squid_ldap_auth 
 -b ou=People,dc=prueba,dc=com 10.0.21.100
 pprueba3
 ERR
 
 That is what i get.
 
 Can you help me?
 These are the options I have in squid.conf
 
 acl QUERY urlpath_regex cgi-bin \?
 no_cache deny QUERY
 
 auth_param basic program
 /usr/lib/squid/squid_ldap_auth -b 
 ou=People,dc=prueba,dc=com 10.0.21.100
 auth_param basic children 5
 auth_param basic realm Squid proxy-caching web
 server
 auth_param basic credentialsttl 2 hours
 auth_param basic casesensitive off
 
 refresh_pattern ^ftp: 1440 20% 10080
 refresh_pattern ^gopher: 1440 0% 1440
 refresh_pattern . 0 20% 4320
 
 acl password proxy_auth REQUIRED
 acl all src 0.0.0.0/0.0.0.0
 acl manager proto cache_object
 acl localhost src 127.0.0.1/255.255.255.255
 acl to_localhost dst 127.0.0.0/8
 acl SSL_ports port 443 563
 acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
 acl Safe_ports port 443 563 # https, snews
 acl Safe_ports port 70 # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Safe_ports port 280 # http-mgmt
 acl Safe_ports port 488 # gss-http
 acl Safe_ports port 591 # filemaker
 acl Safe_ports port 777 # multiling http
 acl CONNECT method CONNECT
 
 http_access allow password
 http_access allow manager localhost
 http_access deny manager
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 acl our_networks src 10.0.16.0/20
 http_access allow our_networks
 http_access allow localhost
 http_access deny all
 http_reply_access allow all
 icp_access allow all
 
 
 coredump_dir /var/spool/squid
 
 
 THANKS.
 
 -- 
 Angel Prieto
 [EMAIL PROTECTED] 
 SINERGIA TECNOLÓGICA
 C/ Almirante Churruca
 
 30007 Murcia
 TEL.  968 270 624Fax. 968 231 501
 www.sinergiatec.com
 __
 
 La información incluida en el presente correo
 electrónico es CONFIDENCIAL, siendo para el uso
 exclusivo del destinatario arriba mencionado. Si
 usted lee este mensaje y no es el destinatario
 señalado, el empleado o el agente responsable de
 entregar el mensaje al destinatario, o ha recibido
 esta comunicación por error, le informamos que está
 totalmente prohibida cualquier divulgación,
 distribución o reproducción de esta comunicación, y
 le rogamos que nos lo notifique, nos devuelva el
 mensaje original a la dirección arriba mencionada y
 borre el mensaje. Gracias.
 __
  
 
 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: [squid-users] SQUID and LDAP.

[Ángel Prieto]

I get this now when I write:
[EMAIL PROTECTED] ~]# /usr/lib/squid/squid_ldap_auth -R -b 
dc=prueba,dc=com -D cn=root,ou=People,dc=prueba,dc=com -w hello -f 
sAMAccountName=%s -h 10.0.21.100


ERR

--
Angel Prieto
[EMAIL PROTECTED] 
SINERGIA TECNOLÓGICA

C/ Almirante Churruca

30007 Murcia
TEL.  968 270 624Fax. 968 231 501
www.sinergiatec.com
__

La información incluida en el presente correo electrónico es CONFIDENCIAL, 
siendo para el uso exclusivo del destinatario arriba mencionado. Si usted lee 
este mensaje y no es el destinatario señalado, el empleado o el agente 
responsable de entregar el mensaje al destinatario, o ha recibido esta 
comunicación por error, le informamos que está totalmente prohibida cualquier 
divulgación, distribución o reproducción de esta comunicación, y le rogamos que 
nos lo notifique, nos devuelva el mensaje original a la dirección arriba 
mencionada y borre el mensaje. Gracias.
__

Re: [squid-users] SQUID and LDAP.

[Henrik Nordstrom]

On Fri, 27 May 2005, [ISO-8859-1] Ángel Prieto wrote:


I get this now when I write:
[EMAIL PROTECTED] ~]# /usr/lib/squid/squid_ldap_auth -R -b dc=prueba,dc=com 
-D cn=root,ou=People,dc=prueba,dc=com -w hello -f sAMAccountName=%s -h 
10.0.21.100


ERR


This is normal. A blank line is not a valid login.

After starting squid_ldap_auth you need to provide a loginname password as 
input.


Regards
Henrik

[squid-users] Squid - FTP - LDAP

[Gé]

Hi,
I have a question about FTP and Squid
I use LDAP authentifications with http requests and it's ok but I have 
pbms with FTP requests == it doesn't matter if the user is in LDAP or not

Here is my test squid.conf
http_port 3128
cache_mem 20 MB
visible_hostname squid2
cache_dir ufs /u1/cache_squid 1000 16 256
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
#  LDAP
auth_param basic program /usr/lib/squid/pam_auth
# liste acces
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \?
acl LAN src 129.242.0.0/255.255.0.0
acl ADSL src 172.20.0.0/255.255.0.0
acl Safe_ports port 554 7070# Streaming
acl Safe_ports port 1755 5004 5005  # MediaPlayer
acl acl_users_password proxy_auth REQUIRED
# REGLES a tester
acl http proto http
http_access allow http acl_users_password
acl ftp-proto proto FTP
http_access allow ftp-proto acl_users_password
# And finally deny all other access to this proxy
http_access deny all

What is the problem with FTP and Squid ldap authentifications ?
What is more, I can't deny FTP !
I tried with :
acl ftp-proto proto FTP
http_access deny ftp-proto
I always can use FTP with Internet Explorer through squid

Re: [squid-users] Squid - FTP - LDAP

[Henrik Nordstrom]

On Mon, 4 Apr 2005, [ISO-8859-1] Gé wrote:
I have a question about FTP and Squid
I use LDAP authentifications with http requests and it's ok but I have pbms 
with FTP requests == it doesn't matter if the user is in LDAP or not
Do you use your www broser for accessing ftp:// URLs, or some other FTP 
client?


What is the problem with FTP and Squid ldap authentifications ?
None.
What is more, I can't deny FTP !
Works fine here.
I tried with :
acl ftp-proto proto FTP
http_access deny ftp-proto
Looks fine to me.
I always can use FTP with Internet Explorer through squid
What does access.log say?
Regards
Henrik

[squid-users] squid authentication LDAP

[Jean-Francois . Teyssier]

HI,

I use actally squid on a Mandrakelinux (10.0) server.
I want to authenticate my users using squid on a LDAP database on a Novell
server. I use that database actually for others authentifications (radius).
Can somebody help me ??

Thank's

Re: [squid-users] squid authentication LDAP

[Tim Bernhardson]

If you search the squid-users archive for novell and ldap you will find
lots of information.

Tim Bernhardson
Senior Technical Engineer
Certified Citrix Metaframe Administrator
Certified CyberGuard Administrator
Certified AIX 4.3 System Administrator
Sun-Maid Growers of California
7273 Murray Drive, Ste 18
Stockton, CA 95210

tbernhar at sunmaid dot com
 [EMAIL PROTECTED] 11/18/04 1:17 AM 
HI,

I use actally squid on a Mandrakelinux (10.0) server.
I want to authenticate my users using squid on a LDAP database on a
Novell
server. I use that database actually for others authentifications
(radius).
Can somebody help me ??

Thank's

Re: [squid-users] SQUID+PAM+LDAP

[Renato Goncalves Silva]

Nobody help me??

This is the last thing to close my project.

thanks.

 Renato Goncalves Silva [EMAIL PROTECTED] 12/11/2004 10:14:16 
Delete this line i dont authenticate to NDS.

All configurations are perfect.

I do not know more to make.

Whith LDAP helpers my NDS server need to accept clear password.

 Henrik Nordstrom [EMAIL PROTECTED] 11/11/2004 10:40:07 
Delete the account group from your PAM configuration.

I.e. the line reading

account sufficient /lib/security/pam_ldap.so debug


or tel pam_auth to not care about the account group.



But I would seriously recommend you to use the LDAP helpers for Squid 
rather than to jump the long way via PAM, unless ofcourse you also want 
the users to be able to login as local users to the server where Squid is 
running.

Regards
Henrik

On Thu, 11 Nov 2004, Renato Goncalves Silva wrote:

 I dont know where to change.

 Please help me.


 tanks a lot.

 Henrik Nordstrom [EMAIL PROTECTED] 10/11/2004 18:35:30 
 On Wed, 10 Nov 2004, Renato Goncalves Silva wrote:

 How i configure PAM to do this??

 My file /etc/pam.d/squid.

 #%PAM-1.0
 auth sufficient /lib/security/pam_ldap.so debug
 account sufficient /lib/security/pam_ldap.so debug
 password required /lib/security/pam_ldap.so use_authtok debug
 session sufficient /lib/security/pam_ldap.so debug

 I would think the existing account configuration section in your PAM
 configuration would give a hint... (configure your PAM service to not
 check the account status, your PAM configuration having an account
 restriction..)

 Regards
 Henrik

Re: [squid-users] SQUID+PAM+LDAP

[Henrik Nordstrom]

On Tue, 16 Nov 2004, Renato Goncalves Silva wrote:
Nobody help me??
Regarding the PAM account validity part this is a NDS PAM question, not a 
Squid question.

Regarding LDAP, the LDAP helpers supports both TLS and SSL modes which 
makes simple bind acceptable in a secure manner.

Regards
Henrik

Re: [squid-users] SQUID+PAM+LDAP

[Renato Goncalves Silva]

Delete this line i dont authenticate to NDS.

All configurations are perfect.

I do not know more to make.

Whith LDAP helpers my NDS server need to accept clear password.

 Henrik Nordstrom [EMAIL PROTECTED] 11/11/2004 10:40:07 
Delete the account group from your PAM configuration.

I.e. the line reading

account sufficient /lib/security/pam_ldap.so debug


or tel pam_auth to not care about the account group.



But I would seriously recommend you to use the LDAP helpers for Squid 
rather than to jump the long way via PAM, unless ofcourse you also want 
the users to be able to login as local users to the server where Squid is 
running.

Regards
Henrik

On Thu, 11 Nov 2004, Renato Goncalves Silva wrote:

 I dont know where to change.

 Please help me.


 tanks a lot.

 Henrik Nordstrom [EMAIL PROTECTED] 10/11/2004 18:35:30 
 On Wed, 10 Nov 2004, Renato Goncalves Silva wrote:

 How i configure PAM to do this??

 My file /etc/pam.d/squid.

 #%PAM-1.0
 auth sufficient /lib/security/pam_ldap.so debug
 account sufficient /lib/security/pam_ldap.so debug
 password required /lib/security/pam_ldap.so use_authtok debug
 session sufficient /lib/security/pam_ldap.so debug

 I would think the existing account configuration section in your PAM
 configuration would give a hint... (configure your PAM service to not
 check the account status, your PAM configuration having an account
 restriction..)

 Regards
 Henrik

[squid-users] SQUID+PAM+LDAP

[Renato Goncalves Silva]

HI,

Sorry my english.

I configure my squid to access my netware server with LDAP using pam_auth and 
pam_ldap.

This service is OK.

But i dont get to check if password expired.

How i check this??

Any ide??

Tanks a lot.

RE: [squid-users] SQUID+PAM+LDAP

[Elsen Marc]

  
 HI,
 
 Sorry my english.
 
 I configure my squid to access my netware server with LDAP 
 using pam_auth and pam_ldap.
 
 This service is OK.
 
 But i dont get to check if password expired.
 
 
 - What do you  mean ?
 - Can you elaborate further ?
 
 M.

RE: [squid-users] SQUID+PAM+LDAP

[Renato Goncalves Silva]

I use SQUID and check user and password inNDS.
When user expire password i dont accept this user until change password.
How i check when this password expire???

I create a file squid in /etc/pam.d.

#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so debug
account sufficient /lib/security/pam_ldap.so debug
password required /lib/security/pam_ldap.so use_authtok debug
session sufficient /lib/security/pam_ldap.so debug


 Elsen Marc [EMAIL PROTECTED] 10/11/2004 10:32:26 

  
 HI,
 
 Sorry my english.
 
 I configure my squid to access my netware server with LDAP 
 using pam_auth and pam_ldap.
 
 This service is OK.
 
 But i dont get to check if password expired.
 
 
 - What do you  mean ?
 - Can you elaborate further ?
 
 M.

Re: [squid-users] SQUID+PAM+LDAP

[Henrik Nordstrom]

On Wed, 10 Nov 2004, Renato Goncalves Silva wrote:
I configure my squid to access my netware server with LDAP using pam_auth and 
pam_ldap.
This service is OK.
But i dont get to check if password expired.
Then don't use PAM (use the LDAP helper instead), or configure your PAM 
service to not check the account status.

Regards
Henrik

Re: [squid-users] Squid + DansGuardian +Ldap auth + ICAP

[Henrik Nordstrom]

On Fri, 2 Jul 2004, laurent Schweizer wrote:

 I want to install DansGuardian with Squid but before I need to know some
 precisions:
 
 If use DansGuardian with squid, can I also use:
 
 ACL from squid with ldap and ldap_group authentication,

Yes.

Regards
Henrik