[squid-users] Squid + AD (LDAP)
Hi All, I was wrong when said that my authentication was working in last email... I´m trying work Squid with MS AD So this is my squid.conf entry about LDAP auth: auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b "CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br" -D "CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br" -w "/usr/local/squid/etc/file" -f "(objectclass=*)" -h ldap_server_ip:port Using this configuration with Ldapbrowser tool (Softerra), I can search my entire LDAP tree without problems. my search base is: CN=user_admin,OU=Usuarios,OU=ABC,DC=abc,DC=com,DC=br "user_admin" is Domain Admin of AD ( maybe necessary to bind on it ???) But Squid just give me an old TCP_DENIED entry on log files: 1213403347.792 15 192.168.10.1 TCP_DENIED/407 2706 GET http://www.gm.com/ user_admin NONE/- text/html 1213405393.479 15 192.168.10.1 TCP_DENIED/407 2706 GET http://www.squid-cache.org/ user_admin NONE/- text/html Anyone can help me ? Thanks in advance Alexandre Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! http://br.mail.yahoo.com/
Re: [squid-users] Squid + AD (LDAP)
On fre, 2008-06-13 at 18:09 -0700, Alexandre augusto wrote: > Hi All, > > I was wrong when said that my authentication was working in last email... > > I´m trying work Squid with MS AD > > So this is my squid.conf entry about LDAP auth: > > auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -R -b > "CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br" -D > "CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br" -w "/usr/local/squid/etc/file" -f > "(objectclass=*)" -h ldap_server_ip:port > > Using this configuration with Ldapbrowser tool (Softerra), I can search my > entire LDAP tree without problems. > > my search base is: > > CN=user_admin,OU=Usuarios,OU=ABC,DC=abc,DC=com,DC=br Are you really really sure? That looks very much like the user_admin object, not the OU (or any upper level) where all your users are found.. > "user_admin" is Domain Admin of AD ( maybe necessary to bind on it ???) That's what -D does. > But Squid just give me an old TCP_DENIED entry on log files: > > 1213403347.792 15 192.168.10.1 TCP_DENIED/407 2706 GET http://www.gm.com/ > user_admin NONE/- text/html > > 1213405393.479 15 192.168.10.1 TCP_DENIED/407 2706 GET > http://www.squid-cache.org/ user_admin NONE/- text/html Anything in cache.log? You might need TLS/SSL for this to work. AD is often configured in such manner that plaintext authentication (simple bind without encryption) is not allowed. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid + AD (LDAP)
Hi Henrik, You are correct. my search base is DC=abc,DC=com,DC=br I have nothing related LDA on cache.log I´m looking for some documentation and found many guys using Squid + Samba ( winbind) with libnss_winbind.so and libnss_winbind.so.2 authenticating on AD (win 2003). That is way to take ? thank you Alexandre --- Em sáb, 14/6/08, Henrik Nordstrom <[EMAIL PROTECTED]> escreveu: > De: Henrik Nordstrom <[EMAIL PROTECTED]> > Assunto: Re: [squid-users] Squid + AD (LDAP) > Para: [EMAIL PROTECTED] > Cc: squid-users@squid-cache.org > Data: Sábado, 14 de Junho de 2008, 6:21 > On fre, 2008-06-13 at 18:09 -0700, Alexandre augusto wrote: > > Hi All, > > > > I was wrong when said that my authentication was > working in last email... > > > > I´m trying work Squid with MS AD > > > > So this is my squid.conf entry about LDAP auth: > > > > auth_param basic program > /usr/local/squid/libexec/squid_ldap_auth -R -b > "CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br" -D > "CN=user_admin,OU=ABC,DC=abc,DC=com,DC=br" -w > "/usr/local/squid/etc/file" -f > "(objectclass=*)" -h ldap_server_ip:port > > > > Using this configuration with Ldapbrowser tool > (Softerra), I can search my entire LDAP tree without > problems. > > > > my search base is: > > > > CN=user_admin,OU=Usuarios,OU=ABC,DC=abc,DC=com,DC=br > > Are you really really sure? That looks very much like the > user_admin > object, not the OU (or any upper level) where all your > users are found.. > > > "user_admin" is Domain Admin of AD ( maybe > necessary to bind on it ???) > > That's what -D does. > > > But Squid just give me an old TCP_DENIED entry on log > files: > > > > 1213403347.792 15 192.168.10.1 TCP_DENIED/407 2706 > GET http://www.gm.com/ user_admin NONE/- text/html > > > > 1213405393.479 15 192.168.10.1 TCP_DENIED/407 2706 > GET http://www.squid-cache.org/ user_admin NONE/- text/html > > Anything in cache.log? > > You might need TLS/SSL for this to work. AD is often > configured in such > manner that plaintext authentication (simple bind without > encryption) is > not allowed. > > Regards > Henrik Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! http://br.mail.yahoo.com/
