Re: [squid-users] Squid + LDAP
On Wed, Feb 05, 2014 at 10:08:41AM +0100, matthew vassallo wrote: > Hi, > > I am trying to connect Squid with Windows Server 2008 R2 active directory but > its not working. I made a test environment and ran the following: > > /usr/lib/squid3/squid_ldap_auth -b "dc=matthew,dc=com" -h 192.168.2.3 -D > "cn=vassm068,ou=IT,dc=matthew,dc=com" -w "Pa$$w0rd" -f > "(&(objectClass=person)(cn=%s))" > > When I run this, I am getting the following error - WARNING, could not bind > to binddn 'Invalid Credentials' > ERR Success > > Do I need to install something on my AD server/squid to authenticate users? > Do I need to install and configure Kerberos? I appreciate your help. Thanks > > Regards, > Matthew Try to read this: https://www.mail-archive.com/squid-users@squid-cache.org/msg92724.html Do you use some special characters in password (after the -w parameter)? Try to avoid them and use only alphanumeric characters from ASCII table). -- Peter Benko
Re: [squid-users] Squid Ldap Authen + AD:how to make authentication persistent?
On 17/06/11 16:29, เชต wrote: Hi all, I've just config the squid proxy server to authenticate users to Microsoft Active Directory. Everything seem fine except squid keep asking username/password every time users open new web browser or switch to other web browser like it check for some session variable in each browser instances. Exactly so. HTTP is stateless. The browser is required to authenticate with every request. The fact it is not asking for login several dozen times per web page is that the browser stores it. You can expect different tabs, windows, browsers, machines, and in fact machines of people on the other branches of your company, not to be aware of the particular login credentials needed when they are first started. The popup itself has nothing to do with Squid. It is just something the browser does when it cannot find any credentials to send. Its "last chance" method if getting credentials is to ask the user. You can avoid users seeing it by allowing the browser to access credentials in other ways. For example; * the Windows operating system allows IE to access NTLM or Negotiate credentials. * other OS store Negotiate credentials in a keytab you can allow the browser to access. * some OS allow the proxy Basic auth login details to be set in the environment http_proxy variables. * some from stored values in a password manager. Suppose I've already authenticated my self while using google chrome and open any new tabs on that chrome instance, there will be no problem but if I open the new Chrome from desktop shortcut (new instance), squid will ask for the password for this chrome again. This also occurred when I switch to IE. And if I close all browser tabs/windows previously authenticated then reopen the new browser, squid will ask password again. Is there a way to make squid only ask password for each users computer/ip etc, once per day or at least a period of time (such as 8 hours). I've tried auth_param basic credentialttl 8 hours but nothing difference. For Basic auth in Squid-2.7 there is http://www.squid-cache.org/Doc/config/authenticate_ip_shortcircuit_ttl/ It has been dropped from Squid-3 releases. You can instead use an external_acl_type helper to maintain a session and permit access based on IP address, passing username back to Squid for the log. NOTE: * users can login to other users accounts by simply sitting at their machine some hours later (even a full reboot does not protect). * when DHCP assigns an IP to someone, that person inherits all login privileges of any previous user * users can tweak their machine IP and instantly get that persons login access. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.8 and 3.1.12.2
[squid-users] I: Re: [squid-users] R: Re: [squid-users] Squid - ldap auth against active directory 2008 R2
>Messaggio originale >Da: projpr...@virgilio.it >Data: 24-gen-2011 8.34 >A: >Ogg: R: Re: [squid-users] R: Re: [squid-users] Squid - ldap auth against active directory 2008 R2 > >Thanks a lot for your reply. > >this sounds really good...strange that on >opensuse i don´t have the same problem like on the server >Anyway, I would >like to make the test you suggested. > >the user is squid...but which is the >standard password? > >Thanks again. > > >>Messaggio originale >>Da: >squ...@treenet.co.nz >>Data: 21-gen-2011 13.47 >>A: > >>Ogg: Re: [squid-users] R: Re: [squid-users] Squid - ldap auth against active >directory 2008 R2 >> >>On 22/01/11 00:41, projpr...@virgilio.it wrote: >>> Thanks >a lot for you reply! >>> this gives me a bit of courage... >>> >>> well, I made >>> >some test from a opensuse machine and it looks like it works... >>> now, if i >look >>> at the process monitor with dependencies and thread on the original >machine i >>> have >>> ownerprocess id >>> root squid 5037 >>> >| >>> | >>> squid >>> squid 4033 >>>| >>>| >>>| > >>>squid squid-ldap 10370 >>> >>> .. >>> >>> I must say that i >also mixed up the squid version: i´m using 3.0 >>> Stable 9. >>> >>> Do you think >it´s cause the helper run under squid? >>> Should i insert >>> squid in the root >group? >> >>No. >> >>At the command line before testing the helper set yourself to >the squid >>effective user using the "su" utility. Usually that is "nobody" or > >>"proxy" or "squid", though it may differ for your system. >> >>Then run the >helper testing to find out what is broken. >> >>Amos >>-- >>Please be using >> >Current Stable Squid 2.7.STABLE9 or 3.1.10 >> Beta testers wanted for 3.2.0.4 > >> > > >
Re: [squid-users] R: Re: [squid-users] Squid - ldap auth against active directory 2008 R2
On 22/01/11 00:41, projpr...@virgilio.it wrote: Thanks a lot for you reply! this gives me a bit of courage... well, I made some test from a opensuse machine and it looks like it works... now, if i look at the process monitor with dependencies and thread on the original machine i have ownerprocess id root squid 5037 | | squid squid 4033 | | | squid squid-ldap 10370 .. I must say that i also mixed up the squid version: i´m using 3.0 Stable 9. Do you think it´s cause the helper run under squid? Should i insert squid in the root group? No. At the command line before testing the helper set yourself to the squid effective user using the "su" utility. Usually that is "nobody" or "proxy" or "squid", though it may differ for your system. Then run the helper testing to find out what is broken. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
[squid-users] R: Re: [squid-users] Squid - ldap auth against active directory 2008 R2
Thanks a lot for you reply! this gives me a bit of courage... well, I made some test from a opensuse machine and it looks like it works... now, if i look at the process monitor with dependencies and thread on the original machine i have ownerprocess id root squid 5037 | | squid squid 4033 | | | squid squid-ldap 10370 .. I must say that i also mixed up the squid version: i´m using 3.0 Stable 9. Do you think it´s cause the helper run under squid? Should i insert squid in the root group? Thank in advance. >Messaggio originale >Da: squ...@treenet.co.nz >Data: 21-gen-2011 9.20 >A: >Ogg: Re: [squid-users] Squid - ldap auth against active directory 2008 R2 > >On 21/01/11 20:47, projpr...@virgilio.it wrote: >> Ok, let´s start with a general question: >> >> does squid work with ldap auth and >> active directory 2008 R2??? >> is there someone that has kind of experience with >> that??? >> >> Thanks jcasale: yes we upgraded the domain from 2003 to 2008 R2, all >> domain controller (2 per each subdomain exactely like before in 2003), for sure >> got other name and ip address and for sure I changed already the configuration >> of squid. >> The firewall was the first think I looked at: it´s compleately turned >> off! >> >> The strange thing is that if I run the helper from shell, it works >> perfectly, instead when it´s called from the configuration it does not work. > >There you have the answer to that first Question "does squid work with >ldap auth and active directory 2008 R2?" > >All Squid does is run the helper and pass it the user credentials. If >the helper works standalone then there is no reason why Squid cannot. > >Squid runs as a low-privileged user account. Running the helper as root >can often create or access files and other resources with root >permission which the Squid user cannot access. > Check the permissions. > > >Amos >-- >Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.10 > Beta testers wanted for 3.2.0.4 >
Re: [squid-users] Squid - ldap auth against active directory 2008 R2
On 21/01/11 20:47, projpr...@virgilio.it wrote: Ok, let´s start with a general question: does squid work with ldap auth and active directory 2008 R2??? is there someone that has kind of experience with that??? Thanks jcasale: yes we upgraded the domain from 2003 to 2008 R2, all domain controller (2 per each subdomain exactely like before in 2003), for sure got other name and ip address and for sure I changed already the configuration of squid. The firewall was the first think I looked at: it´s compleately turned off! The strange thing is that if I run the helper from shell, it works perfectly, instead when it´s called from the configuration it does not work. There you have the answer to that first Question "does squid work with ldap auth and active directory 2008 R2?" All Squid does is run the helper and pass it the user credentials. If the helper works standalone then there is no reason why Squid cannot. Squid runs as a low-privileged user account. Running the helper as root can often create or access files and other resources with root permission which the Squid user cannot access. Check the permissions. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
[squid-users] R: RE: [squid-users] R: RE: [squid-users] Squid - ldap auth against active directory 2008 R2
Ok, let´s start with a general question: does squid work with ldap auth and active directory 2008 R2??? is there someone that has kind of experience with that??? Thanks jcasale: yes we upgraded the domain from 2003 to 2008 R2, all domain controller (2 per each subdomain exactely like before in 2003), for sure got other name and ip address and for sure I changed already the configuration of squid. The firewall was the first think I looked at: it´s compleately turned off! The strange thing is that if I run the helper from shell, it works perfectly, instead when it´s called from the configuration it does not work. I guess, if in general squid and ldap would work with 2008 R2, there must be something to consider and to include eventually in the configuration of squid, for this reason I´m asking help. If would be not possible with ldap, I would appreciate help also for other authentication already tested in 2008 R2 environment. Thanks in advance. >Messaggio originale >Da: jcas...@activenetwerx.com >Data: 20-gen-2011 17.13 >A: "squid-users@squid-cache. org" >Ogg: RE: [squid-users] R: RE: [squid-users] Squid - ldap auth against active directory 2008 R2 > >>As I >>said: with AD 2003 was working well, now with AD2008 is not working > >That doesn’t help us, so you upgraded the domain? Regardless, you're not >auth'ing to the "same" server so something changed. > >>auth_param basic >>program usr/sbin/squid_ldap_auth -d -v "3" -s "sub" -b "dc=example, dc=org" -D >>" cn=example-Auth-User,ou=konten,ou=User city,dc=city,dc=example,dc=org" -w >>" f" -f "sAMAccountName=%s" -h "ldapserver.ab.example.org" -p "3268" > >Check the firewall on the 2008 server, it may not be allowing connections to that >port for example. > >More specifically, are you intentionally querying the GC port versus the LDAP port? >As I don’t know your topology, that may not have a view of what you are looking for... >
RE: [squid-users] R: RE: [squid-users] Squid - ldap auth against active directory 2008 R2
>As I >said: with AD 2003 was working well, now with AD2008 is not working That doesn’t help us, so you upgraded the domain? Regardless, you're not auth'ing to the "same" server so something changed. >auth_param basic >program usr/sbin/squid_ldap_auth -d -v "3" -s "sub" -b "dc=example, dc=org" -D >"cn=example-Auth-User,ou=konten,ou=User city,dc=city,dc=example,dc=org" -w >"f" -f "sAMAccountName=%s" -h "ldapserver.ab.example.org" -p "3268" Check the firewall on the 2008 server, it may not be allowing connections to that port for example. More specifically, are you intentionally querying the GC port versus the LDAP port? As I don’t know your topology, that may not have a view of what you are looking for...
[squid-users] R: RE: [squid-users] Squid - ldap auth against active directory 2008 R2
Thanks for reply. No anonimous bind: there´s a user to bind ldap server. As I said: with AD 2003 was working well, now with AD2008 is not working squid version 2.7 stable6 configuration (names are changed): auth_param basic program usr/sbin/squid_ldap_auth -d -v "3" -s "sub" -b "dc=example, dc=org" -D "cn=example-Auth-User,ou=konten,ou=User city,dc=city,dc=example,dc=org" -w "f" -f "sAMAccountName=%s" -h "ldapserver.ab.example.org" -p "3268" auth_param basic children 50 Any help? >Messaggio originale >Da: jcas...@activenetwerx.com >Data: 20-gen-2011 12.58 >A: "squid-users@squid-cache. org" >Ogg: RE: [squid-users] Squid - ldap auth against active directory 2008 R2 > >>On the cache.log of squid i can see a error message "could not bind to bindn" >>server" "can´t contact ldap server. >> >>Could someone help me to let it work? > >Probably not without seeing your config and knowing your AD setup. >If you upgraded, has your ldap topology remained exactly the same? >Were you binding anonymously previously as by default anon binds >are disabled in AD. Are you binding to the same user DN as you were >and does that user DN still exist? > >jlc >
RE: [squid-users] Squid - ldap auth against active directory 2008 R2
>On the cache.log of squid i can see a error message "could not bind to bindn" >server" "can´t contact ldap server. > >Could someone help me to let it work? Probably not without seeing your config and knowing your AD setup. If you upgraded, has your ldap topology remained exactly the same? Were you binding anonymously previously as by default anon binds are disabled in AD. Are you binding to the same user DN as you were and does that user DN still exist? jlc
RE: [squid-users] Squid + LDAP + Active Directory
>Yes using -D and -w switches, with creds known to work on other devices >doing ldap (MFDs for one). Redact the sensitive parts, and post the actual cmd in your conf. Likely the domain/user syntax is wrong.
RE: [squid-users] Squid + LDAP + Active Directory
Yes using -D and -w switches, with creds known to work on other devices doing ldap (MFDs for one). On Fri, September 10, 2010 10:47 am, Joseph L. Casale wrote: >>I'm sure this has been asked before - working on a squid box that is to >>Auth to AD. Unable to authenticate and getting error in squid cache log: >>WARNING: could not bind to binddn 'Invalid credentials' > > By default, Windows doesn't allow anon binds, are you using a bind account > and if so are the creds rights? > -- Rick Chisholm Systems Administrator Parallel42
RE: [squid-users] Squid + LDAP + Active Directory
>I'm sure this has been asked before - working on a squid box that is to >Auth to AD. Unable to authenticate and getting error in squid cache log: >WARNING: could not bind to binddn 'Invalid credentials' By default, Windows doesn't allow anon binds, are you using a bind account and if so are the creds rights?
Re: [squid-users] Squid ldap group authentication with Zimbra LDAP
The setup that i have is in collaboration between zimbra and samba. the users are created in posix accounts and have to belong to either Admins or Users who are translated to Domain Admins Domain Users respectively. Hence want to allow the Admins but deny the Users. The bannedips "acl bannedips dstdomain .facebook.com" On Tue, Feb 23, 2010 at 12:57 PM, Amos Jeffries wrote: > Kevin Kimani wrote: >> >> oops had left out tthe deny part >> >> acl ldapauth proxy_auth REQUIRED >> acl InetAccess external InetGroup Admins >> acl InetDeny external InetGroup Users >> >> http_access deny InetDeny >> http_access deny bannedips >> http_access allow InetAccess >> http_access allow my_network >> >> When i do this, all are blocked from accessing the internet either >> from group Admin or users. > > Then I guess your "Admin" users is also a member of "Users" or is using one > of the "bannedips". > > If not that then its something else in the config which you are not showing. > > Amos > >> >> On Tue, Feb 23, 2010 at 12:38 PM, Amos Jeffries >> wrote: >>> >>> Kevin Kimani wrote: Find below the configurations placed in my config file auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b dc=openworld,dc=co,dc=ke -f "(&(uid=%s)(objectClass=zimbraAccount))" -h 192.168.111.130 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hour external_acl_type InetGroup ttl=300 %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b dc=openworld,dc=co,dc=ke -B "uid=zimbra,cn=admins,cn=zimbra" -w ldapadmin -f "(&(uid=%u)(objectClass=zimbraAccount))" -h 192.168.111.130 acl ldapauth proxy_auth REQUIRED acl InetAccess external InetGroup Admins http_access allow InetAccess http_access allow my_network For authentication of a single user it works since it asks for authentication but group authentication it aint. >>> >>> There is nothing in that http_access list to prevent access. Everyone who >>> is >>> ether an "Admin" group or "my_network" has full access. >>> >>> You need either: >>> 1) if you want a whole group bocked: an additional "acl InetDenied >>> external >>> InetGroup ..." for the group(s). >>> >>> or >>> 2) if you want individuals blocked: an "acl InetDenied proxy_user ..." >>> listing the usernames. >>> >>> ... along with "http_access deny IdentDenied" to prevent the selected >>> users >>> having web access. Probably right after the admin permit line. >>> >>> Amos >>> Regards On Tue, Feb 23, 2010 at 11:29 AM, Amos Jeffries wrote: > > Kevin Kimani wrote: >> >> Hi all, >> Am having a problem trying to authenticate a group that i have set up >> in my zimbra mail server. the users are stored in an ldap database >> thus thought that authentication would just be the same as other ldap >> databases. am able to authenticate users in singular but want to barr >> some users in a particular group. the command i have is letting >> everyone access the internet. "external_acl_type InetGroup %LOGIN >> /usr/lib/squid/squid_ldap_group -v 3 -b dc=xx,dc=co,dc=ke -f >> "(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx" >> would anyne have an idea how to go about it? am in terrible need for >> it >> to >> work. >> Regards > > external_acl_type merely runs a lookup helper, you have additional > "acl" > lines specifying how its used and various http_access lines as well > specifying how the acl lines affect peoples HTTP requests. > We need to know all those other lines to tell what/why you have this > problem. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 > Current Beta Squid 3.1.0.16 > >>> >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 >>> Current Beta Squid 3.1.0.16 >>> > > > -- > Please be using > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 > Current Beta Squid 3.1.0.16 >
Re: [squid-users] Squid ldap group authentication with Zimbra LDAP
Kevin Kimani wrote: oops had left out tthe deny part acl ldapauth proxy_auth REQUIRED acl InetAccess external InetGroup Admins acl InetDeny external InetGroup Users http_access deny InetDeny http_access deny bannedips http_access allow InetAccess http_access allow my_network When i do this, all are blocked from accessing the internet either from group Admin or users. Then I guess your "Admin" users is also a member of "Users" or is using one of the "bannedips". If not that then its something else in the config which you are not showing. Amos On Tue, Feb 23, 2010 at 12:38 PM, Amos Jeffries wrote: Kevin Kimani wrote: Find below the configurations placed in my config file auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b dc=openworld,dc=co,dc=ke -f "(&(uid=%s)(objectClass=zimbraAccount))" -h 192.168.111.130 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hour external_acl_type InetGroup ttl=300 %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b dc=openworld,dc=co,dc=ke -B "uid=zimbra,cn=admins,cn=zimbra" -w ldapadmin -f "(&(uid=%u)(objectClass=zimbraAccount))" -h 192.168.111.130 acl ldapauth proxy_auth REQUIRED acl InetAccess external InetGroup Admins http_access allow InetAccess http_access allow my_network For authentication of a single user it works since it asks for authentication but group authentication it aint. There is nothing in that http_access list to prevent access. Everyone who is ether an "Admin" group or "my_network" has full access. You need either: 1) if you want a whole group bocked: an additional "acl InetDenied external InetGroup ..." for the group(s). or 2) if you want individuals blocked: an "acl InetDenied proxy_user ..." listing the usernames. ... along with "http_access deny IdentDenied" to prevent the selected users having web access. Probably right after the admin permit line. Amos Regards On Tue, Feb 23, 2010 at 11:29 AM, Amos Jeffries wrote: Kevin Kimani wrote: Hi all, Am having a problem trying to authenticate a group that i have set up in my zimbra mail server. the users are stored in an ldap database thus thought that authentication would just be the same as other ldap databases. am able to authenticate users in singular but want to barr some users in a particular group. the command i have is letting everyone access the internet. "external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b dc=xx,dc=co,dc=ke -f "(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx" would anyne have an idea how to go about it? am in terrible need for it to work. Regards external_acl_type merely runs a lookup helper, you have additional "acl" lines specifying how its used and various http_access lines as well specifying how the acl lines affect peoples HTTP requests. We need to know all those other lines to tell what/why you have this problem. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 Current Beta Squid 3.1.0.16 -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 Current Beta Squid 3.1.0.16 -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 Current Beta Squid 3.1.0.16
Re: [squid-users] Squid ldap group authentication with Zimbra LDAP
oops had left out tthe deny part acl ldapauth proxy_auth REQUIRED acl InetAccess external InetGroup Admins acl InetDeny external InetGroup Users http_access deny InetDeny http_access deny bannedips http_access allow InetAccess http_access allow my_network When i do this, all are blocked from accessing the internet either from group Admin or users. Regards On Tue, Feb 23, 2010 at 12:38 PM, Amos Jeffries wrote: > Kevin Kimani wrote: >> >> Find below the configurations placed in my config file >> >> auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b >> dc=openworld,dc=co,dc=ke -f "(&(uid=%s)(objectClass=zimbraAccount))" >> -h 192.168.111.130 >> auth_param basic realm Squid proxy-caching web server >> auth_param basic credentialsttl 2 hour >> >> external_acl_type InetGroup ttl=300 %LOGIN >> /usr/lib/squid/squid_ldap_group -v 3 -b dc=openworld,dc=co,dc=ke -B >> "uid=zimbra,cn=admins,cn=zimbra" -w ldapadmin -f >> "(&(uid=%u)(objectClass=zimbraAccount))" -h 192.168.111.130 >> >> acl ldapauth proxy_auth REQUIRED >> acl InetAccess external InetGroup Admins >> >> http_access allow InetAccess >> http_access allow my_network >> >> For authentication of a single user it works since it asks for >> authentication but group authentication it aint. > > There is nothing in that http_access list to prevent access. Everyone who is > ether an "Admin" group or "my_network" has full access. > > You need either: > 1) if you want a whole group bocked: an additional "acl InetDenied external > InetGroup ..." for the group(s). > > or > 2) if you want individuals blocked: an "acl InetDenied proxy_user ..." > listing the usernames. > > ... along with "http_access deny IdentDenied" to prevent the selected users > having web access. Probably right after the admin permit line. > > Amos > >> >> Regards >> >> >> On Tue, Feb 23, 2010 at 11:29 AM, Amos Jeffries >> wrote: >>> >>> Kevin Kimani wrote: Hi all, Am having a problem trying to authenticate a group that i have set up in my zimbra mail server. the users are stored in an ldap database thus thought that authentication would just be the same as other ldap databases. am able to authenticate users in singular but want to barr some users in a particular group. the command i have is letting everyone access the internet. "external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b dc=xx,dc=co,dc=ke -f "(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx" would anyne have an idea how to go about it? am in terrible need for it to work. Regards >>> >>> external_acl_type merely runs a lookup helper, you have additional "acl" >>> lines specifying how its used and various http_access lines as well >>> specifying how the acl lines affect peoples HTTP requests. >>> We need to know all those other lines to tell what/why you have this >>> problem. >>> >>> Amos >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 >>> Current Beta Squid 3.1.0.16 >>> > > > -- > Please be using > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 > Current Beta Squid 3.1.0.16 >
Re: [squid-users] Squid ldap group authentication with Zimbra LDAP
Kevin Kimani wrote: Find below the configurations placed in my config file auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b dc=openworld,dc=co,dc=ke -f "(&(uid=%s)(objectClass=zimbraAccount))" -h 192.168.111.130 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hour external_acl_type InetGroup ttl=300 %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b dc=openworld,dc=co,dc=ke -B "uid=zimbra,cn=admins,cn=zimbra" -w ldapadmin -f "(&(uid=%u)(objectClass=zimbraAccount))" -h 192.168.111.130 acl ldapauth proxy_auth REQUIRED acl InetAccess external InetGroup Admins http_access allow InetAccess http_access allow my_network For authentication of a single user it works since it asks for authentication but group authentication it aint. There is nothing in that http_access list to prevent access. Everyone who is ether an "Admin" group or "my_network" has full access. You need either: 1) if you want a whole group bocked: an additional "acl InetDenied external InetGroup ..." for the group(s). or 2) if you want individuals blocked: an "acl InetDenied proxy_user ..." listing the usernames. ... along with "http_access deny IdentDenied" to prevent the selected users having web access. Probably right after the admin permit line. Amos Regards On Tue, Feb 23, 2010 at 11:29 AM, Amos Jeffries wrote: Kevin Kimani wrote: Hi all, Am having a problem trying to authenticate a group that i have set up in my zimbra mail server. the users are stored in an ldap database thus thought that authentication would just be the same as other ldap databases. am able to authenticate users in singular but want to barr some users in a particular group. the command i have is letting everyone access the internet. "external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b dc=xx,dc=co,dc=ke -f "(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx" would anyne have an idea how to go about it? am in terrible need for it to work. Regards external_acl_type merely runs a lookup helper, you have additional "acl" lines specifying how its used and various http_access lines as well specifying how the acl lines affect peoples HTTP requests. We need to know all those other lines to tell what/why you have this problem. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 Current Beta Squid 3.1.0.16 -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 Current Beta Squid 3.1.0.16
Re: [squid-users] Squid ldap group authentication with Zimbra LDAP
Find below the configurations placed in my config file auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b dc=openworld,dc=co,dc=ke -f "(&(uid=%s)(objectClass=zimbraAccount))" -h 192.168.111.130 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hour external_acl_type InetGroup ttl=300 %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b dc=openworld,dc=co,dc=ke -B "uid=zimbra,cn=admins,cn=zimbra" -w ldapadmin -f "(&(uid=%u)(objectClass=zimbraAccount))" -h 192.168.111.130 acl ldapauth proxy_auth REQUIRED acl InetAccess external InetGroup Admins http_access allow InetAccess http_access allow my_network For authentication of a single user it works since it asks for authentication but group authentication it aint. Regards On Tue, Feb 23, 2010 at 11:29 AM, Amos Jeffries wrote: > Kevin Kimani wrote: >> >> Hi all, >> Am having a problem trying to authenticate a group that i have set up >> in my zimbra mail server. the users are stored in an ldap database >> thus thought that authentication would just be the same as other ldap >> databases. am able to authenticate users in singular but want to barr >> some users in a particular group. the command i have is letting >> everyone access the internet. "external_acl_type InetGroup %LOGIN >> /usr/lib/squid/squid_ldap_group -v 3 -b dc=xx,dc=co,dc=ke -f >> "(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx" >> would anyne have an idea how to go about it? am in terrible need for it to >> work. >> Regards > > external_acl_type merely runs a lookup helper, you have additional "acl" > lines specifying how its used and various http_access lines as well > specifying how the acl lines affect peoples HTTP requests. > We need to know all those other lines to tell what/why you have this > problem. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 > Current Beta Squid 3.1.0.16 >
Re: [squid-users] Squid ldap group authentication with Zimbra LDAP
Kevin Kimani wrote: Hi all, Am having a problem trying to authenticate a group that i have set up in my zimbra mail server. the users are stored in an ldap database thus thought that authentication would just be the same as other ldap databases. am able to authenticate users in singular but want to barr some users in a particular group. the command i have is letting everyone access the internet. "external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b dc=xx,dc=co,dc=ke -f "(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx" would anyne have an idea how to go about it? am in terrible need for it to work. Regards external_acl_type merely runs a lookup helper, you have additional "acl" lines specifying how its used and various http_access lines as well specifying how the acl lines affect peoples HTTP requests. We need to know all those other lines to tell what/why you have this problem. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 Current Beta Squid 3.1.0.16
Re: [squid-users] Squid ldap group authentication with Zimbra LDAP
Hi, I have tried implementing that but still its still giving me a problem. It either admits all or none but it gets the users from the LDAP database. Been thinking it could be a problem with my search string On Tue, Feb 23, 2010 at 9:33 AM, Michael Mansour wrote: > Hi, > > --- On Tue, 23/2/10, Kevin Kimani wrote: > >> From: Kevin Kimani >> Subject: [squid-users] Squid ldap group authentication with Zimbra LDAP >> To: "squid-users" >> Received: Tuesday, 23 February, 2010, 5:00 PM >> Hi all, >> Am having a problem trying to authenticate a group that i >> have set up >> in my zimbra mail server. the users are stored in an ldap >> database >> thus thought that authentication would just be the same as >> other ldap >> databases. am able to authenticate users in singular but >> want to barr >> some users in a particular group. the command i have is >> letting >> everyone access the internet. "external_acl_type InetGroup >> %LOGIN >> /usr/lib/squid/squid_ldap_group -v 3 -b >> dc=xx,dc=co,dc=ke -f >> "(&(uid=%g)(objectClass=*))" -h xx.xx.xx.xx" >> would anyne have an idea how to go about it? am in terrible >> need for it to work. > > I used this: > > http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory > > To setup/block groups of users via LDAP. > > Regards, > > Michael. > >> Regards >> > > > > __ > Yahoo!7: Catch-up on your favourite Channel 7 TV shows easily, legally, and > for free at PLUS7. www.tv.yahoo.com.au/plus7 >
Re: [squid-users] Squid LDAP Auth and ACL Integration
Hi! On Sat, Jan 2, 2010 at 1:49 PM, ml ml wrote: > Hi, > > thanks for the reply. > > However, i cant get the proof-of-concept working on the command line: > > echo "mo" | squid_ldap_group -b "dc=my-domain,dc=com" -f "cn=mo" -F > "cn=mo" -h localhost -D "cn=Manager,dc=my-domain,dc=com" -w secret Not sure, but I use this on the squid.conf: /usr/lib/squid/squid_ldap_group -b "ou=Groups,dc=example,dc=com" -f "(&(objectclass=posixGroup)(cn=%g)(memberUid=%u))" -h localhost -P -v 3 -B "ou=Users,dc=example,dc=com" -D cn=read_only,dc=example,dc=com -w password > > it always returns ERR. If i do a "tcpdump -i any -n port 389" then i > cant see any traffic at all. > I'm not sure, but I think it doesn't return traffic for lo interface. > Any idea how i can debug this? the "-d" option does not seem to do any > debugging! maybe run the ldap daemon (slapd) with "-d -1" option, but it will print LOTS of info, make sure NO OTHER PROCESS access the directory server while you run the test (maybe a VM will help). > > Thanks, > Mario > > > > On Thu, Dec 31, 2009 at 9:29 PM, Chris Robertson wrote: >> ml ml wrote: >>> >>> Hello List, >>> >>> i read that its quite easy to get squid with ldap auth running. >>> >>> I would also like to manage Black/White URL-Lists in ldap. Can this be >>> done via ldap, too? m. maybe, but, I think this could become slow, I have never used LDAP for black lists, I store them on plain-text files, and then use group membership (ldap) to manage who the lists applies to. If you feel like you really need to have the URLs on LDAP, I would write an script that reads the URLs from LDAP and write them to plain-text files that squid would use. Off course, you would need some "intelligence" on the script. I hope this helps, Ildefonso Camargo
Re: [squid-users] Squid LDAP Auth and ACL Integration
ml ml wrote: Hi, thanks for the reply. However, i cant get the proof-of-concept working on the command line: echo "mo" | squid_ldap_group -b "dc=my-domain,dc=com" -f "cn=mo" -F "cn=mo" -h localhost -D "cn=Manager,dc=my-domain,dc=com" -w secret it always returns ERR. So, user with common name of "mo" is apparently not a member of the group with common name "mo". You are statically assigning your search filters, which will return the same results for every run. If i do a "tcpdump -i any -n port 389" then i cant see any traffic at all. Any idea how i can debug this? the "-d" option does not seem to do any debugging! That's very odd. The -d option should print messages: * upon successful LDAP connection (with a failed connection being reported regardless of debugging being set) * confirming the group filter and searchbase * confirming the user filter and searchbase Try putting -d as the first argument. It shouldn't matter, but doing so will assure it's not being "missed". Thanks, Mario Chris
Re: [squid-users] Squid LDAP Auth and ACL Integration
Hi, thanks for the reply. However, i cant get the proof-of-concept working on the command line: echo "mo" | squid_ldap_group -b "dc=my-domain,dc=com" -f "cn=mo" -F "cn=mo" -h localhost -D "cn=Manager,dc=my-domain,dc=com" -w secret it always returns ERR. If i do a "tcpdump -i any -n port 389" then i cant see any traffic at all. Any idea how i can debug this? the "-d" option does not seem to do any debugging! Thanks, Mario On Thu, Dec 31, 2009 at 9:29 PM, Chris Robertson wrote: > ml ml wrote: >> >> Hello List, >> >> i read that its quite easy to get squid with ldap auth running. >> >> I would also like to manage Black/White URL-Lists in ldap. Can this be >> done via ldap, too? >> > > Yes, it can be done. It's roll-your-own, however... > http://www.squid-cache.org/Doc/config/external_acl_type/ > >> Cheers, >> Mario >> > > Chris > >
Re: [squid-users] Squid LDAP Auth and ACL Integration
ml ml wrote: Hello List, i read that its quite easy to get squid with ldap auth running. I would also like to manage Black/White URL-Lists in ldap. Can this be done via ldap, too? Yes, it can be done. It's roll-your-own, however... http://www.squid-cache.org/Doc/config/external_acl_type/ Cheers, Mario Chris
Re: [squid-users] Squid + LDAP
Hi! Sure: the DN syntax that squid is sending to the LDAP is invalid. without your config, there is nothing more I can say (for me: it just worked!). I hope this helps, Ildefonso Camargo On Wed, Dec 9, 2009 at 8:57 AM, Dominguez, Gaston Matias wrote: > Hi people > > I having troubles with my two server. > > Server A - PDC with SAMBA & LDAP Works Fine. > > Server B - Squid without SAMBA & LDAP. > > I need to autenticated all users that has web Access and is login on PDC but > it's not working. > > The Server B tell me this: > > 2009/12/09 05:16:42| Reconfiguring Squid Cache (version 2.6.STABLE21)... > 2009/12/09 05:16:42| FD 15 Closing HTTP connection > 2009/12/09 05:16:42| FD 17 Closing ICP connection > 2009/12/09 05:16:42| Initialising SSL. > 2009/12/09 05:16:42| User-Agent logging is disabled. > 2009/12/09 05:16:42| Referer logging is disabled. > 2009/12/09 05:16:42| DNS Socket created at 0.0.0.0, port 43588, FD 8 > 2009/12/09 05:16:42| Adding nameserver 192.168.6.3 from /etc/resolv.conf > 2009/12/09 05:16:42| helperOpenServers: Starting 5 'squid_ldap_auth' > processes > 2009/12/09 05:16:42| Accepting proxy HTTP connections at 0.0.0.0, port 3128, > FD 15. > 2009/12/09 05:16:42| Accepting ICP messages at 0.0.0.0, port 3130, FD 17. > 2009/12/09 05:16:42| WCCP Disabled. > 2009/12/09 05:16:42| Loaded Icons. > 2009/12/09 05:16:42| Ready to serve requests. > squid_ldap_auth: WARNING, could not bind to binddn 'Invalid DN syntax' > squid_ldap_auth: WARNING, could not bind to binddn 'Invalid DN syntax' > squid_ldap_auth: WARNING, could not bind to binddn 'Invalid DN syntax' > > the error is when i enter the user & pass to web Access. > > Someone knows what is this ?? > > > Regards. > > > >
Re: [squid-users] Squid + LDAp
On Wed, Dec 2, 2009 at 4:52 PM, Dominguez, Gaston Matias wrote: > Hi people, > > I want to know how to configure a squid server with ldap. > > Someone can help me. http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap http://wiki.squid-cache.org/HelpOnAuthentication/LDAP http://wiki.squid-cache.org/KnowledgeBase/LdapBackedDigestAuthentication In other words, RTFM. In general the squid wiki is a pretty comprehensive source of documentation, examples, manuals. Please refer to it. We strive to keep it as complete and uptodate as we can, to make life easier for everyone (ourselves included). Thanks -- /kinkie
RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny
HI, It works fine for the straight "deny", but I have one acl (from an external helper) which has been designed to be used as an allow list, which (of course), I want to use as a deny. Putting deny !papercutallow dummy Seems to just hang squid. Thoughts? Suggestions? In the meantime, I've contacted papercut about whether the external helper can work as a deny group... Regards, Dion -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, 7 October 2009 2:53 PM To: Dion Beauglehall Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny On Wed, 7 Oct 2009 14:23:45 +1100, "Dion Beauglehall" wrote: > Hi, > > I am now having issues with custom error pages, > > I have the deny_info line for the accessdeny acl, but it isn't getting used > (I assume because the access deny line finished with all). Eg: > > deny_info ERR_ACCESS_DENIED_MISUSE accessdenied > http_access deny accessdenied all > > I have tried removing the "all", but that puts me back into a re-challenge > loop (which is why "all" was included). > > I am hoping to have a list of denied messages which give instructions to > the user on the steps required to fix the issue, depending on what reason > they were denied for. Is there any suggestions someone can offer, or is > there relevant variables (eg. The acl which denied them) which can be > passed to an external handler? I'd rather do it with static ERR pages, but > whatever works! Magic voodoo: acl dummy src all deny_info ERR_ACCESS_DENIED_MISUSE dummy http_access deny accessdenied dummy See how it works? ;) Amos > > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Monday, 14 September 2009 12:20 PM > To: Dion Beauglehall > Cc: squid-users@squid-cache.org > Subject: RE: [squid-users] Squid/LDAP re-challenges browser on http_access > deny > > On Mon, 14 Sep 2009 12:12:27 +1000, "Dion Beauglehall" > wrote: >> Hi Amos, >> >> The changes you suggested worked perfectly. Thankyou. What I'm not > quite >> sure of is why. I assume in this context, the "all" at the end of the > line >> is not acting as a user list, but a URL list or something else? > > It's an IP-based test doing a very fast catch-all. This changing the type > of ACL last seen at denial so Squid does not equate the deny with unusable > credentials and re-challenge. > > Amos > >> >> Regards, >> Dion >> >> >> -Original Message- >> From: Amos Jeffries [mailto:squ...@treenet.co.nz] >> Sent: Thursday, 10 September 2009 11:30 AM >> To: squid-users@squid-cache.org >> Subject: Re: [squid-users] Squid/LDAP re-challenges browser on > http_access >> deny >> >> On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall" >> wrote: >>> Hi, >>> >>> I’m configuring a squid proxy box with LDAP authentication, and ACLs >> based >>> on LDAP groups. I have the LDAP authentication working, as are groups. >>> >>> However, when I add a user to an “Access Denied” group, squid then > causes >>> the browser to bring up a authentication dialog box. Most squid > installs >> I >>> have seen bring up a squid “Cache Access Denied” screen at this point. >>> This is what I would like it to do. >>> >>> I am unsure if what I am experiencing is expected behaviour, or whether > I >>> have an error in my config file. >>> >>> I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines >>> from squid.conf are below. Note that the LDAP works correctly, and so I >>> have not provided details. What is not acting as I expected is the >>> behaviour of Squid when it hits the “http_access deny accessdenied” > line. >> >>> This seems to be what re-challenges the browser. >>> >>> As we are a school, we need to ensure that both the user is a valid user >>> (from the initial challenge, which collects their machine login, >> invisible >>> to the user), and that they have not been denied for some reason (hence >> the >>> denied group). The re-challenge will lead to students logging into > squid >>> with their friends account. A Cache Access Denied screen is a much >> better >>> alternative. >> >> Yes it was a config issue. >> Re-writing your ACLs slightly to follow that exact logic as described > above >> should solve your problem. >> >>&g
RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny
On Wed, 7 Oct 2009 14:23:45 +1100, "Dion Beauglehall" wrote: > Hi, > > I am now having issues with custom error pages, > > I have the deny_info line for the accessdeny acl, but it isn't getting used > (I assume because the access deny line finished with all). Eg: > > deny_info ERR_ACCESS_DENIED_MISUSE accessdenied > http_access deny accessdenied all > > I have tried removing the "all", but that puts me back into a re-challenge > loop (which is why "all" was included). > > I am hoping to have a list of denied messages which give instructions to > the user on the steps required to fix the issue, depending on what reason > they were denied for. Is there any suggestions someone can offer, or is > there relevant variables (eg. The acl which denied them) which can be > passed to an external handler? I'd rather do it with static ERR pages, but > whatever works! Magic voodoo: acl dummy src all deny_info ERR_ACCESS_DENIED_MISUSE dummy http_access deny accessdenied dummy See how it works? ;) Amos > > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Monday, 14 September 2009 12:20 PM > To: Dion Beauglehall > Cc: squid-users@squid-cache.org > Subject: RE: [squid-users] Squid/LDAP re-challenges browser on http_access > deny > > On Mon, 14 Sep 2009 12:12:27 +1000, "Dion Beauglehall" > wrote: >> Hi Amos, >> >> The changes you suggested worked perfectly. Thankyou. What I'm not > quite >> sure of is why. I assume in this context, the "all" at the end of the > line >> is not acting as a user list, but a URL list or something else? > > It's an IP-based test doing a very fast catch-all. This changing the type > of ACL last seen at denial so Squid does not equate the deny with unusable > credentials and re-challenge. > > Amos > >> >> Regards, >> Dion >> >> >> -Original Message- >> From: Amos Jeffries [mailto:squ...@treenet.co.nz] >> Sent: Thursday, 10 September 2009 11:30 AM >> To: squid-users@squid-cache.org >> Subject: Re: [squid-users] Squid/LDAP re-challenges browser on > http_access >> deny >> >> On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall" >> wrote: >>> Hi, >>> >>> I’m configuring a squid proxy box with LDAP authentication, and ACLs >> based >>> on LDAP groups. I have the LDAP authentication working, as are groups. >>> >>> However, when I add a user to an “Access Denied” group, squid then > causes >>> the browser to bring up a authentication dialog box. Most squid > installs >> I >>> have seen bring up a squid “Cache Access Denied” screen at this point. >>> This is what I would like it to do. >>> >>> I am unsure if what I am experiencing is expected behaviour, or whether > I >>> have an error in my config file. >>> >>> I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines >>> from squid.conf are below. Note that the LDAP works correctly, and so I >>> have not provided details. What is not acting as I expected is the >>> behaviour of Squid when it hits the “http_access deny accessdenied” > line. >> >>> This seems to be what re-challenges the browser. >>> >>> As we are a school, we need to ensure that both the user is a valid user >>> (from the initial challenge, which collects their machine login, >> invisible >>> to the user), and that they have not been denied for some reason (hence >> the >>> denied group). The re-challenge will lead to students logging into > squid >>> with their friends account. A Cache Access Denied screen is a much >> better >>> alternative. >> >> Yes it was a config issue. >> Re-writing your ACLs slightly to follow that exact logic as described > above >> should solve your problem. >> >>> >>> Note that once I have this working, there will be other “denied” groups >> to >>> deny on, prior to allowing access. >>> >>> Any suggestions or ideas are appreciated. >>> >>> Regards, >>> Dion >>> >>> >>> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. >>> auth_param basic children 5 >>> auth_param basic realm VSC >>> auth_param basic credentialsttl 5 minutes >>> >>> external_acl_type ldapgroup &LOGIN .. >>> >>> acl ldap-auth proxy_auth REQUIRED >>> >>>
RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny
Hi, I am now having issues with custom error pages, I have the deny_info line for the accessdeny acl, but it isn't getting used (I assume because the access deny line finished with all). Eg: deny_info ERR_ACCESS_DENIED_MISUSE accessdenied http_access deny accessdenied all I have tried removing the "all", but that puts me back into a re-challenge loop (which is why "all" was included). I am hoping to have a list of denied messages which give instructions to the user on the steps required to fix the issue, depending on what reason they were denied for. Is there any suggestions someone can offer, or is there relevant variables (eg. The acl which denied them) which can be passed to an external handler? I'd rather do it with static ERR pages, but whatever works! Regards, Dion -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, 14 September 2009 12:20 PM To: Dion Beauglehall Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny On Mon, 14 Sep 2009 12:12:27 +1000, "Dion Beauglehall" wrote: > Hi Amos, > > The changes you suggested worked perfectly. Thankyou. What I'm not quite > sure of is why. I assume in this context, the "all" at the end of the line > is not acting as a user list, but a URL list or something else? It's an IP-based test doing a very fast catch-all. This changing the type of ACL last seen at denial so Squid does not equate the deny with unusable credentials and re-challenge. Amos > > Regards, > Dion > > > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Thursday, 10 September 2009 11:30 AM > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Squid/LDAP re-challenges browser on http_access > deny > > On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall" > wrote: >> Hi, >> >> I’m configuring a squid proxy box with LDAP authentication, and ACLs > based >> on LDAP groups. I have the LDAP authentication working, as are groups. >> >> However, when I add a user to an “Access Denied” group, squid then causes >> the browser to bring up a authentication dialog box. Most squid installs > I >> have seen bring up a squid “Cache Access Denied” screen at this point. >> This is what I would like it to do. >> >> I am unsure if what I am experiencing is expected behaviour, or whether I >> have an error in my config file. >> >> I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines >> from squid.conf are below. Note that the LDAP works correctly, and so I >> have not provided details. What is not acting as I expected is the >> behaviour of Squid when it hits the “http_access deny accessdenied” line. > >> This seems to be what re-challenges the browser. >> >> As we are a school, we need to ensure that both the user is a valid user >> (from the initial challenge, which collects their machine login, > invisible >> to the user), and that they have not been denied for some reason (hence > the >> denied group). The re-challenge will lead to students logging into squid >> with their friends account. A Cache Access Denied screen is a much > better >> alternative. > > Yes it was a config issue. > Re-writing your ACLs slightly to follow that exact logic as described above > should solve your problem. > >> >> Note that once I have this working, there will be other “denied” groups > to >> deny on, prior to allowing access. >> >> Any suggestions or ideas are appreciated. >> >> Regards, >> Dion >> >> >> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. >> auth_param basic children 5 >> auth_param basic realm VSC >> auth_param basic credentialsttl 5 minutes >> >> external_acl_type ldapgroup &LOGIN .. >> >> acl ldap-auth proxy_auth REQUIRED >> >> acl accessdenied external ldapgroup InternetAccessDeny >> acl accessallowed external ldapgroup InternetAccess >> >> http_access deny accessdenied > > Change the above line to: > http_access deny accessdenied all > > ... which will produce the "Access Denied" page instead of a challenge. > > Any other denied groups need to go in here one to a line with "all" at the > end of each line. > > > After all them add a new line: > http_access deny !ldap-auth > > ... which will cause Squid to challenge if no credentials are given yet. > People who have given _any_ valid credentials will not be asked twice. > This action was being done as side-effect of the accessdenied ACL test, but > with the new version it needs to be done separately. > > >> http_access allow accessallowed >> http_access deny all > > > Amos > > --- Scanned by M+ Guardian Messaging Firewall --- --- Scanned by M+ Guardian Messaging Firewall ---
RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny
On Mon, 5 Oct 2009 12:03:12 +1100, "Dion Beauglehall" wrote: > Hi, > > This has worked, but what I am now experiencing is that external sites that > require (challenge-based?) authentication do not present the pop-up for the > password (and hence log-in into the site fails, or falls into a loop). Am > I now in a catch-22 position, or is there a way around this too? > > Regards, > Dion Website WWW-Auth has nothing to do with Proxy-Auth. The new config will only be related to WWW-Auth if you are running a reverse-proxy (aka accelerator). In which case you need login=PASS on the cache_peer lines for the relevant backend servers. Challenge based Auth for websites is an extension created by MS and does not work reliably when there are proxies in the middle. The best you can do for normal proxies is enable persistent connections for both servers and clients and check that the connection-auth settings are still turned on (default is on for Squid-2). Amos > > > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Thursday, 10 September 2009 11:30 AM > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Squid/LDAP re-challenges browser on http_access > deny > > On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall" > wrote: >> Hi, >> >> I’m configuring a squid proxy box with LDAP authentication, and ACLs > based >> on LDAP groups. I have the LDAP authentication working, as are groups. >> >> However, when I add a user to an “Access Denied” group, squid then causes >> the browser to bring up a authentication dialog box. Most squid installs > I >> have seen bring up a squid “Cache Access Denied” screen at this point. >> This is what I would like it to do. >> >> I am unsure if what I am experiencing is expected behaviour, or whether I >> have an error in my config file. >> >> I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines >> from squid.conf are below. Note that the LDAP works correctly, and so I >> have not provided details. What is not acting as I expected is the >> behaviour of Squid when it hits the “http_access deny accessdenied” line. > >> This seems to be what re-challenges the browser. >> >> As we are a school, we need to ensure that both the user is a valid user >> (from the initial challenge, which collects their machine login, > invisible >> to the user), and that they have not been denied for some reason (hence > the >> denied group). The re-challenge will lead to students logging into squid >> with their friends account. A Cache Access Denied screen is a much > better >> alternative. > > Yes it was a config issue. > Re-writing your ACLs slightly to follow that exact logic as described above > should solve your problem. > >> >> Note that once I have this working, there will be other “denied” groups > to >> deny on, prior to allowing access. >> >> Any suggestions or ideas are appreciated. >> >> Regards, >> Dion >> >> >> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. >> auth_param basic children 5 >> auth_param basic realm VSC >> auth_param basic credentialsttl 5 minutes >> >> external_acl_type ldapgroup &LOGIN .. >> >> acl ldap-auth proxy_auth REQUIRED >> >> acl accessdenied external ldapgroup InternetAccessDeny >> acl accessallowed external ldapgroup InternetAccess >> >> http_access deny accessdenied > > Change the above line to: > http_access deny accessdenied all > > ... which will produce the "Access Denied" page instead of a challenge. > > Any other denied groups need to go in here one to a line with "all" at the > end of each line. > > > After all them add a new line: > http_access deny !ldap-auth > > ... which will cause Squid to challenge if no credentials are given yet. > People who have given _any_ valid credentials will not be asked twice. > This action was being done as side-effect of the accessdenied ACL test, but > with the new version it needs to be done separately. > > >> http_access allow accessallowed >> http_access deny all > > > Amos > > --- Scanned by M+ Guardian Messaging Firewall ---
RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny
Hi, This has worked, but what I am now experiencing is that external sites that require (challenge-based?) authentication do not present the pop-up for the password (and hence log-in into the site fails, or falls into a loop). Am I now in a catch-22 position, or is there a way around this too? Regards, Dion -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, 10 September 2009 11:30 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid/LDAP re-challenges browser on http_access deny On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall" wrote: > Hi, > > I’m configuring a squid proxy box with LDAP authentication, and ACLs based > on LDAP groups. I have the LDAP authentication working, as are groups. > > However, when I add a user to an “Access Denied” group, squid then causes > the browser to bring up a authentication dialog box. Most squid installs I > have seen bring up a squid “Cache Access Denied” screen at this point. > This is what I would like it to do. > > I am unsure if what I am experiencing is expected behaviour, or whether I > have an error in my config file. > > I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines > from squid.conf are below. Note that the LDAP works correctly, and so I > have not provided details. What is not acting as I expected is the > behaviour of Squid when it hits the “http_access deny accessdenied” line. > This seems to be what re-challenges the browser. > > As we are a school, we need to ensure that both the user is a valid user > (from the initial challenge, which collects their machine login, invisible > to the user), and that they have not been denied for some reason (hence the > denied group). The re-challenge will lead to students logging into squid > with their friends account. A Cache Access Denied screen is a much better > alternative. Yes it was a config issue. Re-writing your ACLs slightly to follow that exact logic as described above should solve your problem. > > Note that once I have this working, there will be other “denied” groups to > deny on, prior to allowing access. > > Any suggestions or ideas are appreciated. > > Regards, > Dion > > > auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. > auth_param basic children 5 > auth_param basic realm VSC > auth_param basic credentialsttl 5 minutes > > external_acl_type ldapgroup &LOGIN .. > > acl ldap-auth proxy_auth REQUIRED > > acl accessdenied external ldapgroup InternetAccessDeny > acl accessallowed external ldapgroup InternetAccess > > http_access deny accessdenied Change the above line to: http_access deny accessdenied all ... which will produce the "Access Denied" page instead of a challenge. Any other denied groups need to go in here one to a line with "all" at the end of each line. After all them add a new line: http_access deny !ldap-auth ... which will cause Squid to challenge if no credentials are given yet. People who have given _any_ valid credentials will not be asked twice. This action was being done as side-effect of the accessdenied ACL test, but with the new version it needs to be done separately. > http_access allow accessallowed > http_access deny all Amos --- Scanned by M+ Guardian Messaging Firewall ---
RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny
On Mon, 14 Sep 2009 12:12:27 +1000, "Dion Beauglehall" wrote: > Hi Amos, > > The changes you suggested worked perfectly. Thankyou. What I'm not quite > sure of is why. I assume in this context, the "all" at the end of the line > is not acting as a user list, but a URL list or something else? It's an IP-based test doing a very fast catch-all. This changing the type of ACL last seen at denial so Squid does not equate the deny with unusable credentials and re-challenge. Amos > > Regards, > Dion > > > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Thursday, 10 September 2009 11:30 AM > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Squid/LDAP re-challenges browser on http_access > deny > > On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall" > wrote: >> Hi, >> >> I’m configuring a squid proxy box with LDAP authentication, and ACLs > based >> on LDAP groups. I have the LDAP authentication working, as are groups. >> >> However, when I add a user to an “Access Denied” group, squid then causes >> the browser to bring up a authentication dialog box. Most squid installs > I >> have seen bring up a squid “Cache Access Denied” screen at this point. >> This is what I would like it to do. >> >> I am unsure if what I am experiencing is expected behaviour, or whether I >> have an error in my config file. >> >> I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines >> from squid.conf are below. Note that the LDAP works correctly, and so I >> have not provided details. What is not acting as I expected is the >> behaviour of Squid when it hits the “http_access deny accessdenied” line. > >> This seems to be what re-challenges the browser. >> >> As we are a school, we need to ensure that both the user is a valid user >> (from the initial challenge, which collects their machine login, > invisible >> to the user), and that they have not been denied for some reason (hence > the >> denied group). The re-challenge will lead to students logging into squid >> with their friends account. A Cache Access Denied screen is a much > better >> alternative. > > Yes it was a config issue. > Re-writing your ACLs slightly to follow that exact logic as described above > should solve your problem. > >> >> Note that once I have this working, there will be other “denied” groups > to >> deny on, prior to allowing access. >> >> Any suggestions or ideas are appreciated. >> >> Regards, >> Dion >> >> >> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. >> auth_param basic children 5 >> auth_param basic realm VSC >> auth_param basic credentialsttl 5 minutes >> >> external_acl_type ldapgroup &LOGIN .. >> >> acl ldap-auth proxy_auth REQUIRED >> >> acl accessdenied external ldapgroup InternetAccessDeny >> acl accessallowed external ldapgroup InternetAccess >> >> http_access deny accessdenied > > Change the above line to: > http_access deny accessdenied all > > ... which will produce the "Access Denied" page instead of a challenge. > > Any other denied groups need to go in here one to a line with "all" at the > end of each line. > > > After all them add a new line: > http_access deny !ldap-auth > > ... which will cause Squid to challenge if no credentials are given yet. > People who have given _any_ valid credentials will not be asked twice. > This action was being done as side-effect of the accessdenied ACL test, but > with the new version it needs to be done separately. > > >> http_access allow accessallowed >> http_access deny all > > > Amos > > --- Scanned by M+ Guardian Messaging Firewall ---
RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny
Hi Amos, The changes you suggested worked perfectly. Thankyou. What I'm not quite sure of is why. I assume in this context, the "all" at the end of the line is not acting as a user list, but a URL list or something else? Regards, Dion -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, 10 September 2009 11:30 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid/LDAP re-challenges browser on http_access deny On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall" wrote: > Hi, > > I’m configuring a squid proxy box with LDAP authentication, and ACLs based > on LDAP groups. I have the LDAP authentication working, as are groups. > > However, when I add a user to an “Access Denied” group, squid then causes > the browser to bring up a authentication dialog box. Most squid installs I > have seen bring up a squid “Cache Access Denied” screen at this point. > This is what I would like it to do. > > I am unsure if what I am experiencing is expected behaviour, or whether I > have an error in my config file. > > I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines > from squid.conf are below. Note that the LDAP works correctly, and so I > have not provided details. What is not acting as I expected is the > behaviour of Squid when it hits the “http_access deny accessdenied” line. > This seems to be what re-challenges the browser. > > As we are a school, we need to ensure that both the user is a valid user > (from the initial challenge, which collects their machine login, invisible > to the user), and that they have not been denied for some reason (hence the > denied group). The re-challenge will lead to students logging into squid > with their friends account. A Cache Access Denied screen is a much better > alternative. Yes it was a config issue. Re-writing your ACLs slightly to follow that exact logic as described above should solve your problem. > > Note that once I have this working, there will be other “denied” groups to > deny on, prior to allowing access. > > Any suggestions or ideas are appreciated. > > Regards, > Dion > > > auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. > auth_param basic children 5 > auth_param basic realm VSC > auth_param basic credentialsttl 5 minutes > > external_acl_type ldapgroup &LOGIN .. > > acl ldap-auth proxy_auth REQUIRED > > acl accessdenied external ldapgroup InternetAccessDeny > acl accessallowed external ldapgroup InternetAccess > > http_access deny accessdenied Change the above line to: http_access deny accessdenied all ... which will produce the "Access Denied" page instead of a challenge. Any other denied groups need to go in here one to a line with "all" at the end of each line. After all them add a new line: http_access deny !ldap-auth ... which will cause Squid to challenge if no credentials are given yet. People who have given _any_ valid credentials will not be asked twice. This action was being done as side-effect of the accessdenied ACL test, but with the new version it needs to be done separately. > http_access allow accessallowed > http_access deny all Amos --- Scanned by M+ Guardian Messaging Firewall ---
Re: [squid-users] Squid/LDAP re-challenges browser on http_access deny
On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall" wrote: > Hi, > > I’m configuring a squid proxy box with LDAP authentication, and ACLs based > on LDAP groups. I have the LDAP authentication working, as are groups. > > However, when I add a user to an “Access Denied” group, squid then causes > the browser to bring up a authentication dialog box. Most squid installs I > have seen bring up a squid “Cache Access Denied” screen at this point. > This is what I would like it to do. > > I am unsure if what I am experiencing is expected behaviour, or whether I > have an error in my config file. > > I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines > from squid.conf are below. Note that the LDAP works correctly, and so I > have not provided details. What is not acting as I expected is the > behaviour of Squid when it hits the “http_access deny accessdenied” line. > This seems to be what re-challenges the browser. > > As we are a school, we need to ensure that both the user is a valid user > (from the initial challenge, which collects their machine login, invisible > to the user), and that they have not been denied for some reason (hence the > denied group). The re-challenge will lead to students logging into squid > with their friends account. A Cache Access Denied screen is a much better > alternative. Yes it was a config issue. Re-writing your ACLs slightly to follow that exact logic as described above should solve your problem. > > Note that once I have this working, there will be other “denied” groups to > deny on, prior to allowing access. > > Any suggestions or ideas are appreciated. > > Regards, > Dion > > > auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. > auth_param basic children 5 > auth_param basic realm VSC > auth_param basic credentialsttl 5 minutes > > external_acl_type ldapgroup &LOGIN .. > > acl ldap-auth proxy_auth REQUIRED > > acl accessdenied external ldapgroup InternetAccessDeny > acl accessallowed external ldapgroup InternetAccess > > http_access deny accessdenied Change the above line to: http_access deny accessdenied all ... which will produce the "Access Denied" page instead of a challenge. Any other denied groups need to go in here one to a line with "all" at the end of each line. After all them add a new line: http_access deny !ldap-auth ... which will cause Squid to challenge if no credentials are given yet. People who have given _any_ valid credentials will not be asked twice. This action was being done as side-effect of the accessdenied ACL test, but with the new version it needs to be done separately. > http_access allow accessallowed > http_access deny all Amos
Re: [squid-users] Squid ldap failover
Henrik Nordstrom wrote: > tis 2009-08-18 klockan 15:51 -0400 skrev mic...@casa.co.cu: > >> Hello >> >> Using squid "2.6.STABLE21 Version". >> >> I authenticate my users against active directory of windows. need to >> add another server to possible technical failures, if no response from >> the primary controller, then to consult a secondary. >> >> is it possible? >> I use something like this: auth_param basic program /usr/lib/squid/ldap_auth -b "ou=Users,dc=mydomain,dc=com" -D 'cn=binddn,dc=mydomain,dc=com"' -w 'pass' -v 3 -H ldap://ldap1.mydomain.com ldap://ldap2.mydomain.com Hope it helps. > > Yes, just list more than one server to squid_ldap_auth > > Regards > Henrik > > -- Jorge Armando Medina Computación Gráfica de México Web: http://www.e-compugraf.com Tel: 55 51 40 72, Ext: 124 Email: jmed...@e-compugraf.com GPG Key: 1024D/28E40632 2007-07-26 GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632 signature.asc Description: OpenPGP digital signature
Re: [squid-users] Squid ldap failover
tis 2009-08-18 klockan 15:51 -0400 skrev mic...@casa.co.cu: > Hello > > Using squid "2.6.STABLE21 Version". > > I authenticate my users against active directory of windows. need to > add another server to possible technical failures, if no response from > the primary controller, then to consult a secondary. > > is it possible? Yes, just list more than one server to squid_ldap_auth Regards Henrik
Re: [squid-users] squid ldap helpers crashing
[EMAIL PROTECTED] wrote: Dear Squid-Users, I would like just to ask a bit of help regarding squid_ldap_group. I tried with success the helper from commandline about a match between a user and a group and everything works perfectly. Now, using the same set in squid.conf, it shows me in the log that the helpers are crashing too quick. My question are: 1) I need absolutely to authenticate first with squid_ldap_auth or I could leave the ntlm_auth at the beginning and use only squid_ldap_group to check the membership in a ldap group? auth_param are checked in order. First match if any is used. Only first match! Order them to suite your preference. 2) at the definition of the external acl i set "%LOGIN", but to squid_ldap_group what squid pass? Same as for normal request needing auth. 3) Why in the squid logs for each squid_ldap_group opened show me the list with the options? Not sure myself on this one. You fail to say which log. and why it shows me that the -F and -B options are required if from commandline works perfectly and are not requested? Maybe old help info. There is a lot of that in squid. I attach here the part with my configuration and (following) the logs: squid. conf #about squid_ldap_group external_acl_type squid_ldap children=20 % LOGIN c: /squid/libexec/squid_ldap_group.exe -R -v "3" -s "sub" -b "dc=k, dc=org" -f "(&(objectClass=person)(sAMAccountName=%v) (memberOf=cn=%a, ou=Gruppen,ou=User F\\+E,dc=xx,dc=k,dc=org))" -d - D "squidadmin" - w "x" -S -K -h "kxdcrt02.k.org" -p "3268" then the right acl with the group and the setting of the access for those. From commandline it returns me an OK but in the running of squid the helpers crash (I already tried to push up the number of children but doesn´t help!) I tried than to make the first authentication with squid_ldap_auth. auth_param basic program c: /squid/libexec/squid_ldap_auth.exe -R -v "3" -s "sub" -b "dc=k, dc=org" -f "sAMAccountName=%s" -d -D "squidadmin" -w "xx" -h "kxdcrt02.k.org" -p "3268" but when the login box appears and I give my credential or other, simply it remains charging the page and after a while give me back the loginbox without show me the webpage. Here I put also the logs: squid_ldap_group version 2.17 Usage: squid_ldap_group -b basedn -f filter [options] ldap_server_name -b basedn (REQUIRED) base dn under where to search for groups -f filter (REQUIRED) group search filter pattern. %v = user, %a = group -B basedn (REQUIRED) base dn under where to search for users -F filter (REQUIRED) user search filter pattern. %s = login -s base|one|sub search scope -D binddn DN to bind as to perform searches -w bindpasswd password for binddn -W secretfile read password for binddn from file secretfile -h server LDAP server (defaults to localhost) -p port LDAP server port (defaults to 389) -P persistent LDAP connection -c timeout connect timeout -t timelimit search time limit -R do not follow referrals -a never|always|search|find when to dereference aliases -v 2|3 LDAP version -Z TLS encrypt the LDAP connection, requires LDAP version 3 -g first query parameter is base DN extension for this query -S Strip NT domain from usernames -K Strip Kerberos realm from usernames If you need to bind as a user to perform searches then use the -D binddn -w bindpasswd or -D binddn -W secretfile options 2008/08/07 15:38:01| logfileOpen: opening log c: /squid/var/logs/access. log 2008/08/07 15:38:01| Unlinkd pipe opened on FD 308 2008/08/07 15:38: 01| Swap maxSize 102400 KB, estimated 7876 objects 2008/08/07 15:38:01| Target number of buckets: 393 2008/08/07 15:38:01| Using 8192 Store buckets 2008/08/07 15:38:01| Max Mem size: 8192 KB 2008/08/07 15:38: 01| Max Swap size: 102400 KB 2008/08/07 15:38: 01| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2008/08/07 15:38:01| logfileOpen: opening log c:/squid/var/logs/store. log 2008/08/07 15:38: 01| Rebuilding storage in c:/squid/var/cache (CLEAN) 2008/08/07 15:38: 01| Using Least Load store dir selection 2008/08/07 15:38:01| Set Current Directory to c:/squid/var/cache 2008/08/07 15:38:01| Loaded Icons. 2008/08/07 15:38:01| Accepting accelerated HTTP connections at 172.16.30.18, port 8080, FD 314. 2008/08/07 15:38:01| Accepting HTCP messages on port 4827, FD 315. 2008/08/07 15:38:01| Accepting SNMP messages on port 3401, FD 316. 2008/08/07 15:38:01| Configuring Parent 172.16.30.16/8123/0 2008/08/07 15:38:01| Ready to serve requests. 2008/08/07 15:38:01| Done reading c: /squid/var/cache swaplo
Re: [squid-users] Squid LDAP Group
On ons, 2008-07-16 at 18:31 -0700, Zack Duchene wrote: > I am having a very hard time getting the group external_acl to work with > my active directory. > > Here is the command that I am using: > > external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b > "dc=ADVANTAGE,dc=com" -D "cn=admin1,cn=USERS,dc=ADVANTAGE,dc=com" -w > "**" -f > "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=Users,dc=AD > VANTAGE,dc=com))" -h 192.168.1.13 Are you sure the groups is in the Users container? Usually one uses squid_ldap_group slightly differently, with -F for looking up the user and then -f to see if that user is listed as a member in the group object.. but both ways works for dual-indexed directories such as MSAD. (where the user object also lists group memberships). Regards Henrik
Re: [squid-users] Squid LDAP Authentication Problems
Not sure if this is the right info you want: I am authenticating with a Win2003 AD server. squid_proxy_ldap was installed on the system when I installed, didn't exactly do any configuration for it I believe. The OS is Redhat Enterprise Linux 5. I'm not sure what you meant by change the schema? Thanks for the reply, hope it's the right info. Mauricio Silveira wrote: > > > Just curious: How did you setup ldap? What distro? > > Are you authenticating with a Win2* AD server? Did you change the schema? > > -- View this message in context: http://www.nabble.com/Squid-LDAP-Authentication-Problems-tf4716128.html#a13482179 Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Squid LDAP Authentication Problems
Hi, Just curious: How did you setup ldap? What distro? Are you authenticating with a Win2* AD server? Did you change the schema? - Mauricio Jemburula wrote: Hi everyone :-), I'm having some problems configuring Squid to authenticate with LDAP. I first of all started by testing these commands in the command line: /usr/lib64/squid/squid_ldap_auth -b "dc=example,dc=com,dc=au" -D "cn=Administrator,cn=Users,dc=example,dc=com,dc=au" -w "mypassword" -f sAMAccountName=%s -h 192.168.10.254 myaccountname mypassword /usr/lib64/squid/squid_ldap_group -b "dc=example,dc=com,dc=au" -D "cn=Administrator,cn=Users,dc=example,dc=com,dc=au" -w "mypassword" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=Users,dc=example,dc=com,dc=au))" -h 192.168.10.254 myaccountname InternetAllowGroup begin:vcard fn:Mauricio Silveira n:Silveira;Mauricio org;quoted-printable:FSN do Brasil - Consultoria em Inform=C3=A1tica;Software Development / Networking adr:;;Brazil email;internet:[EMAIL PROTECTED] title:Linux Consultant / Developer tel;cell:11-9949-1040 url:http://www.fsndobrasil.com version:2.1 end:vcard
Re: [squid-users] squid+ldap
Em Dom, 2007-06-17 às 14:16 +0200, Henrik Nordstrom escreveu: > fre 2007-06-15 klockan 09:56 -0300 skrev pauloric: > > > c) from squid.conf: > > auth_param basic program /usr/lib/squid/ldap_auth -b > > "dc=xxx,dc=com,dc=br" -f "uid=%s" -h 130.0.150.2 > > auth_param basic children 10 > > auth_param basic > > program /usr/lib/squid/ncsa_auth /etc/admwebuser/squidusers.passwd > > auth_param basic children 10 > > You can only have one set of auth_param basic settings. The second > overwrites the first. humm ok thanks Henrik I'll insert everyone at ldap and comment the second auth_param. best regards > > Regards > Henrik -- Paulo Ricardo Bruck - consultor Contato Global Solutions tels 011 5031-4932 5034-1732 9235-4327(cel) http://www.contato.com.br signature.asc Description: Esta é uma parte de mensagem assinada digitalmente
Re: [squid-users] squid+ldap
fre 2007-06-15 klockan 09:56 -0300 skrev pauloric: > c) from squid.conf: > auth_param basic program /usr/lib/squid/ldap_auth -b > "dc=xxx,dc=com,dc=br" -f "uid=%s" -h 130.0.150.2 > auth_param basic children 10 > auth_param basic > program /usr/lib/squid/ncsa_auth /etc/admwebuser/squidusers.passwd > auth_param basic children 10 You can only have one set of auth_param basic settings. The second overwrites the first. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid+ldap
Hi, On Fri, Jun 15, pauloric wrote: > a) squid:~# /usr/lib/squid/ldap_auth -b "dc=xxx,dc=com,dc=br" -f "uid= > % s" -h 130.0.150.2 > pauloric pauloric > OK that's good. > squid# tail -f /var/log/squid/access.log| grep 130.0.150.2 > 1181911584.377 8 130.0.150.2 TCP_DENIED/407 1832 GET > http://www.terra.com.br/ - NONE/- text/html > 1181911865.372 22 130.0.150.2 TCP_DENIED/407 1832 GET > http://www.terra.com.br/ pauloric NONE/- text/html for me it looks like your browser dosn't send any authentication information. Please make a dump of you network trafic (tcpdump) and look for a line like "Proxy-Authorization: x". -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. signature.asc Description: Digital signature
Re: [squid-users] SQUID + LDAP (on Red Hat AS3)
Lucas Beber wrote: Hello to all I have a task that at first sight it seemed simple and it is the one of installing SQUID with users' of LDAP validation in Microsoft Windows 2003 Server Directory Activates. I have already looked for for all sides and I don't find a correct information to be able to configure it. In the server AD I have (like I said before) Windows 2003 Server In the server to install, I have RedHat Linux AS3 Update 7. I'm would need they informed me that packages have to install and that information should read so that the users of different groups (OU) of the one Directory Activates they can consent to Internet giving him accesses for groups (LDAP_GROUP_AUTH) From already thank you [ Lucas Beber ] See the Wiki (http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM) for using Active Directory for authentication. Use the external helper "ldap_group" to limit access based on group membership. Documentation for it is included in the source ($source/squid/helpers/external_acl/ldap_group/). Chris
[squid-users] Antwort: RE: [squid-users] Antwort: RE: [squid-users] Squid LDAP Group authentication
yes, auth_param basic program /usr/lib/squid_ldap_auth -R -b "dc=test,dc=eu" -D "cn=test1,cn=Users,dc=test,dc=eu" -w "test" -f sAMAccountName=%s -h xxx.xxx.xxx.xx Also the users & the group are under the cn User. Best Regards, Saqib Sultan Khan Network Administrator Horiba Europe GmbH Hans-Mess-str. 6 61440 Oberursel Tel: +49 6172-1396-125 Fax: +49 6172-137385 [EMAIL PROTECTED] |-+---| | "Janco van der Merwe" | | | <[EMAIL PROTECTED]>| | | | An| | 06.09.2006 15:39 | "Saqib| | | Khan | | | (horib| | | a/eu)"| | | | | | Kopie| | | "squid| | | -users| | | @squid| | | -cache| | | .org" | | | | | | Thema| | | RE: | | | [squid| | | -users| | | ] | | | Antwor| | | t: RE:| | | [squid| | | -users| | | ] | | | Squid | | | LDAP | | | Group | | | authen| | | ticati| | | on| | | | | | | | | | | | | | | | | | | |-+---| Did you edit the auth_param section to use the squid_ldap_group? If you did send me a copy of your conf file and I will compare it to mine and make the necessary adjustments. Also one thing that I noticed when I did it is that the user group should be under the User cn and not under any OU, for some or other reason it did not accept the OU's also make sure to specify the correct AD group and that all the variables are correct. Janco v.d Merwe Network Administrator Dunns Stores (PTY) Ltd Switchboard: 011 541 3000 Direct: 011 541 3007 Fax: 086 632 1708 -Original Message- From: Saqib Khan (horiba/eu) [mailto:[EMAIL PROTECTED] Sent: 06 September, 2006 15:09 To: Janco van der Merwe Cc: squid-users@squid-cache.org Subject: [squid-users] Antwort: RE: [squid-users] Squid LDAP Group authentication No still the same. I still can use any user to access internet. Here is my conf accoding to your suggestion:- external_acl_type Internet %LOGIN /usr/lib/squid_ldap_group -R -b "dc=test,dc=eu" -D "cn=test,cn=Users,dc=test,dc=eu" -w "test" -f " (&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Testgroup, ,OU=Testgroup,OU=Users,dc=test,dc=eu))" -h xxx.xxx.xxx.xxx acl ldap proxy_auth REQUIRED acl Localnet external Internet Testgroup http_access allow ldap Localnet Safe_ports Best Regards, Saqib |-+---| | "Janco van der Merwe" | | | <[EMAIL PROTECTED]> |
RE: [squid-users] Antwort: RE: [squid-users] Squid LDAP Group authentication
Did you edit the auth_param section to use the squid_ldap_group? If you did send me a copy of your conf file and I will compare it to mine and make the necessary adjustments. Also one thing that I noticed when I did it is that the user group should be under the User cn and not under any OU, for some or other reason it did not accept the OU's also make sure to specify the correct AD group and that all the variables are correct. Janco v.d Merwe Network Administrator Dunns Stores (PTY) Ltd Switchboard: 011 541 3000 Direct: 011 541 3007 Fax: 086 632 1708 -Original Message- From: Saqib Khan (horiba/eu) [mailto:[EMAIL PROTECTED] Sent: 06 September, 2006 15:09 To: Janco van der Merwe Cc: squid-users@squid-cache.org Subject: [squid-users] Antwort: RE: [squid-users] Squid LDAP Group authentication No still the same. I still can use any user to access internet. Here is my conf accoding to your suggestion:- external_acl_type Internet %LOGIN /usr/lib/squid_ldap_group -R -b "dc=test,dc=eu" -D "cn=test,cn=Users,dc=test,dc=eu" -w "test" -f " (&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Testgroup, ,OU=Testgroup,OU=Users,dc=test,dc=eu))" -h xxx.xxx.xxx.xxx acl ldap proxy_auth REQUIRED acl Localnet external Internet Testgroup http_access allow ldap Localnet Safe_ports Best Regards, Saqib |-+---| | "Janco van der Merwe" | | | <[EMAIL PROTECTED]>| | | | An| | 06.09.2006 14:19 | "Saqib| | | Khan | | | (horiba/eu| | | )"| | | , | | | "squid-use| | | [EMAIL PROTECTED]| | | ache.org" | | | | | | Kopie| | | | | | Thema| | | RE: | | | [squid-use| | | rs] Squid | | | LDAP Group| | | authentica| | | tion | | | | | | | | | | | | | | | | | | | |-+---| Under “TAG: auth_param” section enter the following auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=mydomain,dc=com" -w "ldappassword" -f sAMAccountName=%s -h xxx.xxx.xxx.xxx Under “TAG: external_acl_type” section enter the following external_acl_type internetusergroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=mydomain,dc=com" -D "cn=ldapreader,cn=Users,dc=mydomain,dc=com" -w "ldappassword" -f "(&(objectclass=person)(sAMAccountName =%v)(memberof=cn=internetusers, ,OU=xxx Groups,OU=xxx,dc=mydomain,dc=com))" -h xxx.xxx.xxx.xxx acl ldappassword proxy_auth REQUIRED acl internetgroup external internetusergroup internetusers http_access allow ldappassword internetgroup Safe_ports This works Janco v.d Merwe Network Administrator Dunns Stores (PTY) Ltd Switchboard: 011 541 3000 Direct: 011 541 3007 Fax: 086 632 1708 -Original Message- From: Saqib Khan (horiba/eu) [mailto:[EMAIL PROTECTED] Sent: 06 September, 2006 13:47 To: squid-users@squid-cache.org Subject: [squid-users] Squid LDAP Group authentication Dear all, I am having some configuration problems with squid_ldap_group authentication. I created a Testgroup namely "Testgroup" in AD containing a test user. But If i use a user which is no
[squid-users] Antwort: RE: [squid-users] Squid LDAP Group authentication
No still the same. I still can use any user to access internet. Here is my conf accoding to your suggestion:- external_acl_type Internet %LOGIN /usr/lib/squid_ldap_group -R -b "dc=test,dc=eu" -D "cn=test,cn=Users,dc=test,dc=eu" -w "test" -f " (&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Testgroup, ,OU=Testgroup,OU=Users,dc=test,dc=eu))" -h xxx.xxx.xxx.xxx acl ldap proxy_auth REQUIRED acl Localnet external Internet Testgroup http_access allow ldap Localnet Safe_ports Best Regards, Saqib |-+---| | "Janco van der Merwe" | | | <[EMAIL PROTECTED]>| | | | An| | 06.09.2006 14:19 | "Saqib| | | Khan | | | (horiba/eu| | | )"| | | , | | | "squid-use| | | [EMAIL PROTECTED]| | | ache.org" | | | | | | Kopie| | | | | | Thema| | | RE: | | | [squid-use| | | rs] Squid | | | LDAP Group| | | authentica| | | tion | | | | | | | | | | | | | | | | | | | |-+---| Under “TAG: auth_param” section enter the following auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=mydomain,dc=com" -w "ldappassword" -f sAMAccountName=%s -h xxx.xxx.xxx.xxx Under “TAG: external_acl_type” section enter the following external_acl_type internetusergroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=mydomain,dc=com" -D "cn=ldapreader,cn=Users,dc=mydomain,dc=com" -w "ldappassword" -f "(&(objectclass=person)(sAMAccountName =%v)(memberof=cn=internetusers, ,OU=xxx Groups,OU=xxx,dc=mydomain,dc=com))" -h xxx.xxx.xxx.xxx acl ldappassword proxy_auth REQUIRED acl internetgroup external internetusergroup internetusers http_access allow ldappassword internetgroup Safe_ports This works Janco v.d Merwe Network Administrator Dunns Stores (PTY) Ltd Switchboard: 011 541 3000 Direct: 011 541 3007 Fax: 086 632 1708 -Original Message- From: Saqib Khan (horiba/eu) [mailto:[EMAIL PROTECTED] Sent: 06 September, 2006 13:47 To: squid-users@squid-cache.org Subject: [squid-users] Squid LDAP Group authentication Dear all, I am having some configuration problems with squid_ldap_group authentication. I created a Testgroup namely "Testgroup" in AD containing a test user. But If i use a user which is not a member of that group, i still can access the internet. Here is my squid configuration:- Tag:external_ACL external_acl_type Internet %LOGIN /usr/lib/squid_ldap_group -R -b "dc=test,dc=com" -D "cn=test,cn=Users,dc=horiba,dc=eu" -w "test1" -f " (&(objectclass=person)(sAMAccountName=%v)(memberof=cn =%a,cn=Testgroup,cn=Users,dc=test,dc=com))" -h xxx.xxx.xxx.xxx Tag:ACL acl Localnet external Internet Testgroup Tag:http_access http_access allow Localnet Best Regards, Saqib This communication and any attachments are confidential and intended for the sole use of the intended recipient. Any form of copying or disclosure of this communication to any third parties without permission is prohibited. The contents of this communication and its attachments are not intended to be relied upon in law without subsequent written confirmation. As such, Dunns Stores (Pty) Ltd accept no responsibility or l
RE: [squid-users] Squid LDAP Group authentication
Under “TAG: auth_param” section enter the following auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=mydomain,dc=com" -w "ldappassword" -f sAMAccountName=%s -h xxx.xxx.xxx.xxx Under “TAG: external_acl_type” section enter the following external_acl_type internetusergroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=mydomain,dc=com" -D "cn=ldapreader,cn=Users,dc=mydomain,dc=com" -w "ldappassword" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=internetusers, ,OU=xxx Groups,OU=xxx,dc=mydomain,dc=com))" -h xxx.xxx.xxx.xxx acl ldappassword proxy_auth REQUIRED acl internetgroup external internetusergroup internetusers http_access allow ldappassword internetgroup Safe_ports This works Janco v.d Merwe Network Administrator Dunns Stores (PTY) Ltd Switchboard: 011 541 3000 Direct: 011 541 3007 Fax: 086 632 1708 -Original Message- From: Saqib Khan (horiba/eu) [mailto:[EMAIL PROTECTED] Sent: 06 September, 2006 13:47 To: squid-users@squid-cache.org Subject: [squid-users] Squid LDAP Group authentication Dear all, I am having some configuration problems with squid_ldap_group authentication. I created a Testgroup namely "Testgroup" in AD containing a test user. But If i use a user which is not a member of that group, i still can access the internet. Here is my squid configuration:- Tag:external_ACL external_acl_type Internet %LOGIN /usr/lib/squid_ldap_group -R -b "dc=test,dc=com" -D "cn=test,cn=Users,dc=horiba,dc=eu" -w "test1" -f " (&(objectclass=person)(sAMAccountName=%v)(memberof=cn =%a,cn=Testgroup,cn=Users,dc=test,dc=com))" -h xxx.xxx.xxx.xxx Tag:ACL acl Localnet external Internet Testgroup Tag:http_access http_access allow Localnet Best Regards, Saqib This communication and any attachments are confidential and intended for the sole use of the intended recipient. Any form of copying or disclosure of this communication to any third parties without permission is prohibited. The contents of this communication and its attachments are not intended to be relied upon in law without subsequent written confirmation. As such, Dunns Stores (Pty) Ltd accept no responsibility or liability (including negligence) for the consequences of anyone acting, or not acting, on information contained therein. If you have received this communication in error please notify us immediately and destroy or delete it.
RE: [squid-users] Squid LDAP authentication with 2003 AD
tis 2006-09-05 klockan 08:34 -0300 skrev Alejandro Decchi: > Sorry Henrik to be very newbie what is TLS ?? Encryption. Formerly known as SSL. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Squid LDAP authentication with 2003 AD
Sorry Henrik to be very newbie what is TLS ?? -Mensaje original- De: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 04 de Septiembre de 2006 17:56 Para: Alejandro Decchi CC: 'Saqib Khan (horiba/eu)'; squid-users@squid-cache.org Asunto: RE: [squid-users] Squid LDAP authentication with 2003 AD mån 2006-09-04 klockan 08:18 -0300 skrev Alejandro Decchi: > Did you follow this step by step ? Because I did that but I could not made > that user authenticate by active directory. The page say that we do not need > samba.The only package that we need are: Squid and Ldap.I install openldap > and the Bekerley Db because the Berkeley is need to install open ldap.When I > finished to installed all I did that the page explain step by step, but It > did not work You may need to use TLS depending on the settings of your AD security level. Regards Henrik
RE: [squid-users] Squid LDAP authentication with 2003 AD
mån 2006-09-04 klockan 08:18 -0300 skrev Alejandro Decchi: > Did you follow this step by step ? Because I did that but I could not made > that user authenticate by active directory. The page say that we do not need > samba.The only package that we need are: Squid and Ldap.I install openldap > and the Bekerley Db because the Berkeley is need to install open ldap.When I > finished to installed all I did that the page explain step by step, but It > did not work You may need to use TLS depending on the settings of your AD security level. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Antwort: RE: [squid-users] Squid LDAP authentication with 2003 AD
Please use this command to check if you can read the active directory: ldapsearch -b "dc=mydomain,dc=eu" -D "cn=testuser,cn=Users,dc=mydomain,dc=eu" -w "testuserpassword" "sAMAccountName=Testgroup" -h ADServerIP -x It must show you the structure of your AD tree. Best Regards, Saqib |-+---| | "Alejandro Decchi"| | | <[EMAIL PROTECTED]> | | | | An| | 04.09.2006 01:18 | "'Saqib Khan (horiba/eu)'"| | | <[EMAIL PROTECTED]> | | | Kopie| | | | | | Thema| | | RE: [squid-users] Squid LDAP | | | authentication with 2003 AD | | | | | | | | | | | | | | | | | | | |-+---| Did you follow this step by step ? Because I did that but I could not made that user authenticate by active directory. The page say that we do not need samba.The only package that we need are: Squid and Ldap.I install openldap and the Bekerley Db because the Berkeley is need to install open ldap.When I finished to installed all I did that the page explain step by step, but It did not work I hope if you could do this authentication can give a hand. Thz Alejandro Decchi -Mensaje original- De: Saqib Khan (horiba/eu) [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 04 de Septiembre de 2006 05:08 Para: Alejandro Decchi CC: squid-users@squid-cache.org Asunto: Re: [squid-users] Squid LDAP authentication with 2003 AD Hi, Please follow the instructions stated in the link below. It's a very easy & clear documentation. http://kb.papercutsoftware.com/Main/ConfiguringSquidProxyToAuthenticateWithA ctiveDirectory Best Regards, Saqib |-+---| | "Alejandro Decchi" | | | <[EMAIL PROTECTED]> | | | | An| | 01.09.2006 04:43 | ,| | | "Saqib | | | Khan | | | (horiba/eu| | | )" | | | | | | Kopie| | | | | | Thema| | | Re: | | | [squid-use| | | rs] Squid | | | LDAP | | | authentica| | | tion with | | | 2003 AD | | | | | | | | | | | | | | | | | | | |-+---| Hi ! my squid friend.Can you explain me how did you do to install everything . A long tome ago i tried but i could not made this method of athentication. Can you give me a hand explain me step by step how this you all I read a lot of article hou to instal
RE: [squid-users] Squid LDAP authentication with 2003 AD
Did you follow this step by step ? Because I did that but I could not made that user authenticate by active directory. The page say that we do not need samba.The only package that we need are: Squid and Ldap.I install openldap and the Bekerley Db because the Berkeley is need to install open ldap.When I finished to installed all I did that the page explain step by step, but It did not work I hope if you could do this authentication can give a hand. Thz Alejandro Decchi -Mensaje original- De: Saqib Khan (horiba/eu) [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 04 de Septiembre de 2006 05:08 Para: Alejandro Decchi CC: squid-users@squid-cache.org Asunto: Re: [squid-users] Squid LDAP authentication with 2003 AD Hi, Please follow the instructions stated in the link below. It's a very easy & clear documentation. http://kb.papercutsoftware.com/Main/ConfiguringSquidProxyToAuthenticateWithA ctiveDirectory Best Regards, Saqib |-+---| | "Alejandro Decchi"| | | <[EMAIL PROTECTED]> | | | | An| | 01.09.2006 04:43 | ,| | | "Saqib| | | Khan | | | (horiba/eu| | | )"| | || | | Kopie| | | | | | Thema| | | Re: | | | [squid-use| | | rs] Squid | | | LDAP | | | authentica| | | tion with | | | 2003 AD | | | | | | | | | | | | | | | | | | | |-+---| Hi ! my squid friend.Can you explain me how did you do to install everything . A long tome ago i tried but i could not made this method of athentication. Can you give me a hand explain me step by step how this you all I read a lot of article hou to install ldap and squid with active directory but i could not Thz - Original Message - From: "Saqib Khan (horiba/eu)" <[EMAIL PROTECTED]> To: Sent: Friday, September 01, 2006 10:07 AM Subject: [squid-users] Squid LDAP authentication with 2003 AD Hello List members, I am getting problem after authenticating a user over ldap. After getting authenticated I get the following error message: ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.google.de/ The following error was encountered: Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. I am sure that it is authenticating the user as if I use a username which is not a member of the group which is meant to be use for internet access, i get the authentication window again & again. I also checked it by using a LDAP browser & i was able to browse the Active Directory. I am using SuSE 9.1 and squid 2.5 stable. Any Ideas? Best Regards, Saqib
[squid-users] Antwort: Re: [squid-users] Squid LDAP authentication with 2003 AD
Hi, Thanx for the tip. I had to define an additional acl and than it worked. Now the problem is that I would like to allow only members of a specific group to access internet. For this I have the following line in my config file. external_acl_type Internet %LOGIN /usr/lib/squid_ldap_group -R -b "dc=domain,dc=eu" -D "cn=test1,cn=Users,dc=domain,dc=eu" -w "test1" -f " (&(objectclass=person)(sAMAccountName=%v)(memberof=cn =%a,ou=Users,dc=domain,dc=eu))" -h MyIPAddress Under TAG:ACL acl localnet proxy_auth REQUIRED src xxx.xxx.xxx.xxx/24 acl InetAccess external Internet Testgroup Tag:http_access http_access allow InetAccess This is what i additionaly set up after which the internet was working http_access allow localnet I even defined a denygroup and added a test user but i still can access to internet by using that user. I think somehow the syntax of group authentication is not complete. Best Regards, Saqib |-+---| | Henrik Nordstrom | | | <[EMAIL PROTECTED]| | | t>| An| | | "Saqib Khan (horiba/eu)"| | 01.09.2006 16:48 | <[EMAIL PROTECTED]> | | | Kopie| | | squid-users@squid-cache.org | | | Thema| | | Re: [squid-users] Squid LDAP| | | authentication with 2003 AD | | | | | | | | | | | | | | | | | | | |-+---| On Fri, 2006-09-01 at 15:07 +0200, Saqib Khan (horiba/eu) wrote: > > Hello List members, > > I am getting problem after authenticating a user over ldap. After getting > authenticated I get the following error message: > > ERROR > The requested URL could not be retrieved > > > While trying to retrieve the URL: http://www.google.de/ > > The following error was encountered: > > Access Denied. Which says that the request was denied your http_access directives (or maybe http_reply_access or miss_access). The authentication as such most likely worked fine. Regards Henrik
Re: [squid-users] Squid LDAP authentication with 2003 AD
Hi, Please follow the instructions stated in the link below. It's a very easy & clear documentation. http://kb.papercutsoftware.com/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory Best Regards, Saqib |-+---| | "Alejandro Decchi"| | | <[EMAIL PROTECTED]> | | | | An| | 01.09.2006 04:43 | ,| | | "Saqib| | | Khan | | | (horiba/eu| | | )"| | || | | Kopie| | | | | | Thema| | | Re: | | | [squid-use| | | rs] Squid | | | LDAP | | | authentica| | | tion with | | | 2003 AD | | | | | | | | | | | | | | | | | | | |-+---| Hi ! my squid friend.Can you explain me how did you do to install everything . A long tome ago i tried but i could not made this method of athentication. Can you give me a hand explain me step by step how this you all I read a lot of article hou to install ldap and squid with active directory but i could not Thz - Original Message - From: "Saqib Khan (horiba/eu)" <[EMAIL PROTECTED]> To: Sent: Friday, September 01, 2006 10:07 AM Subject: [squid-users] Squid LDAP authentication with 2003 AD Hello List members, I am getting problem after authenticating a user over ldap. After getting authenticated I get the following error message: ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.google.de/ The following error was encountered: Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. I am sure that it is authenticating the user as if I use a username which is not a member of the group which is meant to be use for internet access, i get the authentication window again & again. I also checked it by using a LDAP browser & i was able to browse the Active Directory. I am using SuSE 9.1 and squid 2.5 stable. Any Ideas? Best Regards, Saqib
Re: [squid-users] Squid LDAP authentication with 2003 AD
On Fri, 2006-09-01 at 15:07 +0200, Saqib Khan (horiba/eu) wrote: > > Hello List members, > > I am getting problem after authenticating a user over ldap. After getting > authenticated I get the following error message: > > ERROR > The requested URL could not be retrieved > > > While trying to retrieve the URL: http://www.google.de/ > > The following error was encountered: > >Access Denied. Which says that the request was denied your http_access directives (or maybe http_reply_access or miss_access). The authentication as such most likely worked fine. Regards Henrik
Re: [squid-users] Squid LDAP authentication with 2003 AD
Hi ! my squid friend.Can you explain me how did you do to install everything . A long tome ago i tried but i could not made this method of athentication. Can you give me a hand explain me step by step how this you all I read a lot of article hou to install ldap and squid with active directory but i could not Thz - Original Message - From: "Saqib Khan (horiba/eu)" <[EMAIL PROTECTED]> To: Sent: Friday, September 01, 2006 10:07 AM Subject: [squid-users] Squid LDAP authentication with 2003 AD Hello List members, I am getting problem after authenticating a user over ldap. After getting authenticated I get the following error message: ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.google.de/ The following error was encountered: Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. I am sure that it is authenticating the user as if I use a username which is not a member of the group which is meant to be use for internet access, i get the authentication window again & again. I also checked it by using a LDAP browser & i was able to browse the Active Directory. I am using SuSE 9.1 and squid 2.5 stable. Any Ideas? Best Regards, Saqib
RE: [squid-users] Squid Ldap
I use winbind with samba and use the directive default_domain=xxx to remove the domain from the users. -Original Message- From: Olsson Mattias [mailto:[EMAIL PROTECTED] Sent: Sat 3/18/2006 8:22 AM To: squid-users@squid-cache.org Cc: Subject: [squid-users] Squid Ldap Hi! I would like to use LDAP to auth proxy users (win 2003). Its working great exept that i have to login every time. I have seen that the NT domain name could be removed with option -S. But i cant get that to work. Please have a look and correct me:) external_acl_type InetGroup %LOGIN /usr/sbin/squid_ldap_group -R -b "ou=Users Accounts,dc=domain,dc=local" -D "cn=Administrator,cn=Users,dc=domain,dc=local" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Global,ou=S ecurity groups,dc=domain,dc=local))" -S -h ldap_server_ip My client machines are inte same domain. Loggin in with my user named works but IE appears to send domain\username by default... Mvh / Kind regards Mattias Olsson Siemens Business Services AB SE-171 95 Solna Sweden P: +46 8 730 6573 M:+46 70 629 1071 *** - Confidentiality note The information in this email and any attachment may contain confidential and proprietary information of VistaPrint and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, reliance or distribution by others or forwarding without express permission is strictly prohibited and may cause liability. In case you have received this message due to an error in transmission, please notify the sender immediately and to delete this email and any attachment from your system. -
Re: [squid-users] Squid + Ldap
fre 2006-03-17 klockan 15:11 -0400 skrev Michael Fernández M.: > but it does not take the value of "proxyallow" if i set the value to > FALSE, so the user enter his mail and pass, but this is allow to > navigate even with FALSE in proxyallow Can not really happen with the filter you gave. What can happen is if the user has two proxyallow attributes. The filter will then match if either of the two says he should be allowed. There is also a cache of valid accounts, where Squid remembers that a given username+password combination is valid for a while after a successful validation without querying the helper again. See the ttl arguments to auth_param basic. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Squid - Ldap
> -Original Message- > From: Franco, Battista [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 16, 2006 11:19 PM > To: Chris Robertson; squid-users@squid-cache.org > Subject: Re: [squid-users] Squid - Ldap > > > I tried "setenforce 0" and now it's OK. :o > But another question: everytime I restart server should i > need repeat "setenforce 0"? > You have three options as I see it: 1) Figure out how to give Squid permission to run squid_ldap_auth within the SELINUX environment (http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#faq-div-resolving-problems) 2) Disable SELINUX just for Squid (http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c-securitylevel) 3) Disalbe SELINUX permanently system-wide (http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2825880) Chris
Re: [squid-users] Squid - Ldap
I tried "setenforce 0" and now it's OK. :o But another question: everytime I restart server should i need repeat "setenforce 0"? -Messaggio originale- Da: Chris Robertson [mailto:[EMAIL PROTECTED] Inviato: giovedì 16 febbraio 2006 19.15 A: squid-users@squid-cache.org Oggetto: RE: [squid-users] Squid - Ldap > -Original Message- > From: Franco, Battista [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 16, 2006 7:34 AM > To: squid-users@squid-cache.org > Cc: Mark Elsen > Subject: [squid-users] R: [squid-users] R: [squid-users] Squid - Ldap > > > Hi > I understand it but why when do i use squid_ldap_auth from > command line it's work? > Another thing: > I tried to connect with LDAP Browser program; it work with > anonymous bind. 1) Try running /usr/lib/squid/squid_ldap_auth as the cache_effective_user. 2) Do you have SELINUX enabled? That could be the problem. Try running "setenforce 0" (without the quotes), and see if you can authenticate. Chris
RE: [squid-users] Squid - Ldap
> -Original Message- > From: Franco, Battista [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 16, 2006 7:34 AM > To: squid-users@squid-cache.org > Cc: Mark Elsen > Subject: [squid-users] R: [squid-users] R: [squid-users] Squid - Ldap > > > Hi > I understand it but why when do i use squid_ldap_auth from > command line it's work? > Another thing: > I tried to connect with LDAP Browser program; it work with > anonymous bind. 1) Try running /usr/lib/squid/squid_ldap_auth as the cache_effective_user. 2) Do you have SELINUX enabled? That could be the problem. Try running "setenforce 0" (without the quotes), and see if you can authenticate. Chris
Re: [squid-users] Squid - Ldap
> Hello > I want use squid 2.5stable9 with LDAP Windows 2003 Server > authentication. > From command line : > /usr/lib/squid/squid_ldap_auth -b > "OU=Users,OU=,OU=Locations,OU=,dc=bb,dc=cc,dc=,dc=net" -f > sAMAccountName=%s -h 10.239.56.2 > > It's OK. > But when I try to connect to internet from a client it doesn't work > This is the error on access.log files: > http://www.squid-cache.org/mail-archive/squid-users/200602/0323.html (maybe). M.
Re: [squid-users] Squid - LDAP
One thing to note, In Windows 2003 Server, Microsoft disables anonymous LDAP binds by default. Instead of doing an anonymous bind, try testing your squid_ldap_auth command with options to bind as an authorative user. Like: /usr/lib/squid/squid_ldap_auth -D Administrator -w Admin_Password -R -b "dc=xx,dc=yyy,dc=,dc=" -f sAMAccountName=%s -h 10.239.56.2 Note the -D and -w options. I do not recommend encoding the Active Directory administrator account in the squid configuration file. Either set up another authorized account that has read only permissions, or see Microsoft's documentation on enabling anonymous binds to a Windows 2003 Active Directory via LDAP. Tim --- Timothy E. Neto Computer Systems Engineer Komatsu Canada Limited Ph#: 905-625-6292 x2651725B Sismet Road Fax: 905-625-6348 Mississauga, Canada E-Mail: [EMAIL PROTECTED] L4W 1P9 --- Esteban wrote: Test if the autenticator work.. run "/usr/lib/squid/squid_ldap_auth -R -b "dc=xx,dc=yyy,dc=,dc=" -f sAMAccountName=%s -h 10.239.56.2" And enter "Usernamepassword" IF you get OK the autenticator Works If you always get an ERR you should chech te configuration of the Helper / the Ldap Server And "for testing only" use this Http_access Schema http_access allow password http_access deny all My squid.conf is: . auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=xx,dc=yyy,dc=,dc=" -f sAMAccountName=%s -h 10.239.56.2 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off . acl password proxy_auth REQUIRED acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 407 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 407 acl CONNECT method CONNECT http_access allow manager localhost http_access allow password http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all cache_peer another-proxy..com parent 8080 0 proxy-only default # Which is the problem?
RE: [squid-users] Squid - LDAP
> I tried to test the helper but no message appear (Error/OK) > Where do i find the helper file configuration? Soo the problem seems to be the Helper/autenticator. The helper don´t have a configuration file. You should have to use the comand line paramters only. Make shure you can actualy conect and Browse the Ldap Tree, Before use it whit the helpers. Maye the problem is in the Ldapserver. You colud use this http://www.softerra.com/products/ldapbrowser.php
RE: [squid-users] Squid - LDAP
Test if the autenticator work.. run "/usr/lib/squid/squid_ldap_auth -R -b "dc=xx,dc=yyy,dc=,dc=" -f sAMAccountName=%s -h 10.239.56.2" And enter "Usernamepassword" IF you get OK the autenticator Works If you always get an ERR you should chech te configuration of the Helper / the Ldap Server And "for testing only" use this Http_access Schema http_access allow password http_access deny all > My squid.conf is: > . > auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b > "dc=xx,dc=yyy,dc=,dc=" -f sAMAccountName=%s -h 10.239.56.2 > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > . > acl password proxy_auth REQUIRED > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 407 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 407 > acl CONNECT method CONNECT > http_access allow manager localhost > http_access allow password > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access deny all > > cache_peer another-proxy..com parent 8080 0 proxy-only default > # > > Which is the problem? >
Re: [squid-users] squid ldap group authentication
Ghislain Garcon check your [EMAIL PROTECTED] email address please Thanks
[squid-users] Re: [Bulk] Re: [squid-users] squid ldap group authentication
CsY a écrit : > where cn=doe in user in internet group? > And what way could i use, when i have 200internet user in 500users > network? > i think, i put all needed user in internet group, and this will work. > any idea? > > thanks > The helper uses the base DN ( -b option ) as a root to create the query ( -f option ). In your config : > auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b > "ou=peoples,dc=mydomain,dc=com" ldap > > external_acl_type ldap_group %LOGIN > /usr/lib/squid/squid_ldap_group -ZZ > -b "cn=netgroup,ou=groups,dc=mydomain,dc=com" -f > "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B > "ou=peoples,dc=mydomain,dc=com" -F uid="%s" -w pass > serveraddress:serverport > > acl password proxy_auth REQUIRED > acl password_group external ldap_group internet > > > the helper will search something like "cn=doe,cn=netgroup,ou=groups,dc=mydomain,dc=com". But if I remember, it is impossible to have more than one cn in a DN. Something like -b "ou=groups,dc=mydomain,dc=com" -f "(&(objectclass=posixGroup)(cn=%g)(member=%u))" and the declaration would be : acl password_group external ldap_group netgroup Then LDAP will search an object named : "cn=netgroup,ou=groups,dc=mydomain,dc=com" with an attribute "member=%LOGIN" of type "posixGroup". Look at the thread : http://www.mail-archive.com/squid-users@squid-cache.org/msg33711.html Regards. Ghislain Garçon.
Re: [squid-users] squid ldap group authentication
where cn=doe in user in internet group? And what way could i use, when i have 200internet user in 500users network? i think, i put all needed user in internet group, and this will work. any idea? thanks Ghislain Garcon írta: auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b "ou=peoples,dc=mydomain,dc=com" ldap external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -ZZ -b "cn=netgroup,ou=groups,dc=mydomain,dc=com" -f It seems "cn=netgroup,ou=groups,dc=mydomain,dc=com" is wrong (this means that you have somewehere a "cn=doe,cn=netgroup,ou=groups,dc=mydomain,dc=com"). "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=peoples,dc=mydomain,dc=com" -F uid="%s" -w pass serveraddress:serverport acl password proxy_auth REQUIRED acl password_group external ldap_group internet Regards. Ghislain Garçon. _ NOD32 1.1312 (20051205) Információ _ Az üzenetet a NOD32 antivirus system megvizsgálta. http://www.nod32.hu
Re: [squid-users] squid ldap group authentication
>>> >>> auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b >>> "ou=peoples,dc=mydomain,dc=com" ldap >>> >>> external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -ZZ >>> -b "cn=netgroup,ou=groups,dc=mydomain,dc=com" -f >> It seems "cn=netgroup,ou=groups,dc=mydomain,dc=com" is wrong (this means that you have somewehere a "cn=doe,cn=netgroup,ou=groups,dc=mydomain,dc=com"). >>> "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B >>> "ou=peoples,dc=mydomain,dc=com" -F uid="%s" -w pass >>> serveraddress:serverport >>> >>> acl password proxy_auth REQUIRED >>> acl password_group external ldap_group internet >>> >>> Regards. Ghislain Garçon.
Re: [squid-users] squid ldap group authentication
ubuntu linux 5.10 breezy badger OpenLDAP: slapd 2.2.26 (jul 4 2005 12:56:26 Mark Elsen írta: On 12/5/05, CsY <[EMAIL PROTECTED]> wrote: ohh.. sorry Squid Cache: Version 2.5.STABLE10 configure options: --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid --localstatedir=/var/spool/squid --datadir=/usr/share/squid --enable-async-io --with-pthreads --enable-storeio=ufs,aufs,diskd,null --enable-linux-netfilter --enable-arp-acl --enable-removal-policies=lru,heap --enable-snmp --enable-delay-pools --enable-htcp --enable-poll --enable-cache-digests --enable-underscores --enable-referer-log --enable-useragent-log --enable-auth=basic,digest,ntlm --enable-carp --with-large-files i386-debian-linux What OS and version is the ldapserver running ? M.
Re: [squid-users] squid ldap group authentication
On 12/5/05, CsY <[EMAIL PROTECTED]> wrote: > > ohh.. sorry > > Squid Cache: Version 2.5.STABLE10 > configure options: --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin > --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid > --localstatedir=/var/spool/squid --datadir=/usr/share/squid --enable-async-io > --with-pthreads --enable-storeio=ufs,aufs,diskd,null --enable-linux-netfilter > --enable-arp-acl --enable-removal-policies=lru,heap --enable-snmp > --enable-delay-pools --enable-htcp --enable-poll --enable-cache-digests > --enable-underscores --enable-referer-log --enable-useragent-log > --enable-auth=basic,digest,ntlm --enable-carp --with-large-files > i386-debian-linux What OS and version is the ldapserver running ? M.
Re: [squid-users] squid ldap group authentication
i probe these configs, but arent working. auth_param basic program /usr/lib/squid/ldap_auth -Z -b "ou=group,dc=mydomain,dc=com" -D cn=admin,dc=hu -w password auth_param basic children 10 auth_param basic credentialsttl 1 hour refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl SSL_ports port 873 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl Safe_ports port 631 acl Safe_ports port 873 acl Safe_ports port 901 acl purge method PURGE acl CONNECT method CONNECT no_cache deny QUERY external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b "ou=group,dc=mydomain,dc=com" -f (&(objectclass=posixGroup) (cn=%a) (member=%v))" -B " "cn=internet,ou=group,dc=mydomain,dc=com" -F uid="%s" -D cn=admin,dc=com -w password acl passwd proxy_auth REQUIRED acl passwd_group external ldap_group internet http_access allow manager localhost http_access allow password http_access allow passwd_group http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all httpd_accel_single_host off coredump_dir /var/spool/squid httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on The ldap: com | mydomain | | users groups | | user1 internet Mark Elsen írta: On 12/5/05, CsY <[EMAIL PROTECTED]> wrote: Hello Can i help you? I need set up the ldap group authentication, this rule do not working. Any idea? auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b "ou=peoples,dc=mydomain,dc=com" ldap external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -ZZ -b "cn=netgroup,ou=groups,dc=mydomain,dc=com" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=peoples,dc=mydomain,dc=com" -F uid="%s" -w pass serveraddress:serverport acl password proxy_auth REQUIRED acl password_group external ldap_group internet http_access allow password_group thanks - Squid version ? - OS/platform/version ? M. _ NOD32 1.1311 (20051202) Információ _ Az üzenetet a NOD32 antivirus system megvizsgálta. http://www.nod32.hu
Re: [squid-users] squid ldap group authentication
I just setup squid v2.4 and I had to create a wrapper for my LDAP to work. example: authenticate_program /usr/lib/squid/myauth then the file "myauth" looks like /usr/lib/squid/squid_ldap_auth -b "o=myorg,c=US" xxx.xxx.xxx.xxx:389 Hope this helps. CsY wrote: Hello Can i help you? I need set up the ldap group authentication, this rule do not working. Any idea? auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b "ou=peoples,dc=mydomain,dc=com" ldap external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -ZZ -b "cn=netgroup,ou=groups,dc=mydomain,dc=com" -f "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B "ou=peoples,dc=mydomain,dc=com" -F uid="%s" -w pass serveraddress:serverport acl password proxy_auth REQUIRED acl password_group external ldap_group internet http_access allow password_group thanks
Re: [squid-users] squid ldap group authentication
On 12/5/05, CsY <[EMAIL PROTECTED]> wrote: > Hello > > Can i help you? > I need set up the ldap group authentication, this rule do not working. > Any idea? > > auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b > "ou=peoples,dc=mydomain,dc=com" ldap > > external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -ZZ > -b "cn=netgroup,ou=groups,dc=mydomain,dc=com" -f > "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B > "ou=peoples,dc=mydomain,dc=com" -F uid="%s" -w pass serveraddress:serverport > > acl password proxy_auth REQUIRED > acl password_group external ldap_group internet > > > http_access allow password_group > > thanks > > > - Squid version ? - OS/platform/version ? M.
Re: [squid-users] squid ldap authentication
Hi, At 09.03 17/08/2005, Ashish wrote: Hi, we have in our network Windows Server 2003 and squid proxy. Now i want squid to authenticate through server 2003 active directory. i am using command:- auth_param basic program /usr/lib/squid/squid_ldap_auth -b "ou=Users, dc=example,dc=com" ldapserver but it doesn't authenticate through it. Though the dialog for username and password doeas come but when i enter the username and password it doesn't authenticate though it. Plz tell me where i am going wrong. I have already tried ntlm_auth command. -- Two things: - Anonymous LDAP operations to Active Directory are disabled on Windows Server 2003 domain controllers: http://support.microsoft.com/default.aspx?scid=kb;en-us;326690. - You must specify a username/password for binding to Active Directory, see -D and -w options of squid_ldap_auth. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] squid ldap authentication
On 8/17/05, Ashish <[EMAIL PROTECTED]> wrote: > Hi, > >we have in our network Windows Server 2003 and squid > proxy. Now i want squid to authenticate through server 2003 active > directory. i am using command:- > > auth_param basic program /usr/lib/squid/squid_ldap_auth -b "ou=Users, > dc=example,dc=com" ldapserver > > but it doesn't authenticate through it. Though the dialog for username > and password doeas come but when i enter the username and password it > doesn't authenticate though it. Plz tell me where i am going wrong. I > have already tried ntlm_auth command. > -- - What´s in access.log , and cache.log ? - Check the man page on squid_ldap_auth for configuration info. - Windows 2003 : witch patch level ? - Samba version ? Note that some Windows 2003 patch level requires an upto date samba release. Check the archives, using search tool(s); - Include squid version used in postings. M.
Re: [squid-users] Squid/ldap authentication via Novell NDS
Thank you Henrik, I got it working now after switching the squid_ldap_auth option from (cn=%s) to (uid=%s) Thank again, Daniel >>> Henrik Nordstrom <[EMAIL PROTECTED]> 7/05/2005 7:55:50 >>> On Fri, 29 Apr 2005, Daniel Lim wrote: > I am using Squid-2.5-STABLE7 as proxy on SLES 8 for users to > authenticate the browser access to the internet, the password > authentication works well until the Novell NDS changed to a new tree > structure which I have also changed accordingly in the squid.conf. Is this new tree set to allow plain text authentication? >From what I remember NDS is by default a little picky about plain text authentication and requires the connection to be SSL encrypted.. I could not see anything obviously wrong in your configuration, but I would recommend running squid_ldap_auth and squid_ldap_group from the command line to verify the functionality of each part. Both also have a -d flag to make them a little more verbose about what they are doing. Regards Henrik ** This email message, including any attached files, is confidential and intended solely for the use of the individual or entity to whom it is addressed. The NSW Department of Commerce prohibits the right to publish, copy, distribute or disclose any information contained in this email, or its attachments, by any party other than the intended recipient. If you have received this email in error please notify the sender and delete it from your system. No employee or agent is authorised to conclude any binding agreement on behalf of the NSW Department of Commerce by email. The views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Department, except where the sender expressly, and with authority, states them to be the views of NSW Department of Commerce. The NSW Department of Commerce accepts no liability for any loss or damage arising from the use of this email and recommends that the recipient check this email and any attached files for the presence of viruses. **
Re: [squid-users] Squid/ldap authentication via Novell NDS
On Fri, 29 Apr 2005, Daniel Lim wrote: I am using Squid-2.5-STABLE7 as proxy on SLES 8 for users to authenticate the browser access to the internet, the password authentication works well until the Novell NDS changed to a new tree structure which I have also changed accordingly in the squid.conf. Is this new tree set to allow plain text authentication? From what I remember NDS is by default a little picky about plain text authentication and requires the connection to be SSL encrypted.. I could not see anything obviously wrong in your configuration, but I would recommend running squid_ldap_auth and squid_ldap_group from the command line to verify the functionality of each part. Both also have a -d flag to make them a little more verbose about what they are doing. Regards Henrik
RE: [squid-users] squid+ldap
> Hi > > I am Using mandrake linux with squid2.5.STABLE4-1mdk .I want > to configure user > authentication in squid.we have separate ldap server is > there.can any one help > me. > Check the SQUID FAQ on this and related issues. M.
Re: [squid-users] Squid + LDAP installation issues
On Tue, 11 Jan 2005, Ricardo [iso-8859-1] López Urrutia wrote: Hello List, I've searched through the FAQ's, the list and the Internet and have not found an answer yet. Hope someone outhere can help Background: squid-2.5.STABLE5-4.fc2.2, source RPM modified to only accept LDAP authentication below are the modified lines in the squid.spec file --enable-external-acl-helpers="ip_user,ldap_group,unix_group," \ --enable-auth="basic,ldap" \ --enable-basic-auth-helpers="LDAP,NCSA," \ (I left NCSA authentication due to the nature of error messages) Downloaded the Squid Ldap Authentication Module Why not using the standard squid_ldap_auth helper you already selected to have installed above? After the download I untarred it, cd to directory, make and cp to /etc/squid On squid.conf i add the following line without acl's so far just for the sake of watching if it works authenticate_program /etc/squid/ldap_auth, but get the following error. "parseConfigFile: line 16 unrecognized: 'authenticate_program /etc/squid/ldap_auth'" This is old Squid-2.4 and earlier configuration syntax. See the Squid-2.5 release notes for details. It should also be noted that old authentication helpers needs some slight update to work correctly with Squid-2.5 if there is odd characters in either the username or password. Regards Henrik
Re: [squid-users] Squid LDAP use with single sign on ?
On Fri, 24 Dec 2004, Ernst Einstein wrote: On Thu, 2004-12-23 at 22:38, Henrik Nordstrom wrote: On Thu, 23 Dec 2004 [EMAIL PROTECTED] wrote: Is ist possible to get a single sign on with linux clients ? I have found a lot of workarounds and solutions when using windows clients - but no for linux clients. Linux or Unix in general does not have a local security service keeping track of the logon like you have in Windows GINA/LSA, and as a result single sign on for applications is close to non-existing in this world.. Okay... Is there a chance to get somthing like that running with kerberos ? If Mozilla/Firefox supports interacting with the kerberos ticket cache for use in the (non-standard) Microsoft Negotiate protocol then things should work once Negotiate support is added to Squid (quite likely to happen for the Squid-3.0 release). Regards Henrik
Re: [squid-users] Squid LDAP use with single sign on ?
On Thu, 2004-12-23 at 22:38, Henrik Nordstrom wrote: > On Thu, 23 Dec 2004 [EMAIL PROTECTED] wrote: > > > Is ist possible to get a single sign on with linux clients ? I have found a > > lot of workarounds and solutions when using windows clients - but no for > > linux clients. > > Linux or Unix in general does not have a local security service keeping > track of the logon like you have in Windows GINA/LSA, and as a result > single sign on for applications is close to non-existing in this world.. Okay... Is there a chance to get somthing like that running with kerberos ? Regards Andre
Re: [squid-users] Squid LDAP use with single sign on ?
On Thu, 23 Dec 2004 [EMAIL PROTECTED] wrote: Is ist possible to get a single sign on with linux clients ? I have found a lot of workarounds and solutions when using windows clients - but no for linux clients. Linux or Unix in general does not have a local security service keeping track of the logon like you have in Windows GINA/LSA, and as a result single sign on for applications is close to non-existing in this world.. Regards Henrik
[squid-users] RE: [Squid-users] Squid LDAP Authentication
Good info, thanks Adam! rick... Rom.5:8 >>> Adam Aube <[EMAIL PROTECTED]> 8/12/2004 1:16:37 PM >>> Rick Whitley wrote: > Check to see if your ldap dir accepts anonymous binds, if not you will > need the -D and -w params. Also when you run the helper outside of squid > you need to pipe the password, see below: > > echo "userPassword: password" | /squid_ldap_auth -b > "ou=academics,o=dbu" -u cn -D "cn=LDAPUser,ou=users,o=dbu" -w "password" > -f "cn=userid" -h you.host.ip.adr Or you could use -W instead of -w, which lets you put the password in a file (readable only by the user Squid runs as). This prevents the password from showing on the command line (visible through ps). Also, you don't need to pipe the username and password - you can run the helper first, then type "username password" on the command line and press Enter. Adam
[squid-users] Re: [Squid-users] Squid LDAP Authentication
Simon Magee wrote: > I have just installed SQUID2.5-STABLE6 and compiled with the --enable-SSL > --enable-basic-auth-helpers=LDAP. I can get Squid to run ok, but when I > come to try and get the LDAP authentication to work I am having no luck. > > On manually running the ./squid_auth_ldap -b o=bte -h 172.20.200.1 -p 389 > I always get the ERR message on the screen. I am running this on SuSE > Enterprise Server 8 and have the openldap modules installed. What LDAP backend are you trying to integrate with? Adam
[squid-users] RE: [Squid-users] Squid LDAP Authentication
Rick Whitley wrote: > Check to see if your ldap dir accepts anonymous binds, if not you will > need the -D and -w params. Also when you run the helper outside of squid > you need to pipe the password, see below: > > echo "userPassword: password" | /squid_ldap_auth -b > "ou=academics,o=dbu" -u cn -D "cn=LDAPUser,ou=users,o=dbu" -w "password" > -f "cn=userid" -h you.host.ip.adr Or you could use -W instead of -w, which lets you put the password in a file (readable only by the user Squid runs as). This prevents the password from showing on the command line (visible through ps). Also, you don't need to pipe the username and password - you can run the helper first, then type "username password" on the command line and press Enter. Adam
Re: [squid-users] SQUID + LDAP HELP
> external_acl_type AD_Group %LOGIN > /usr/lib/squid/squid_ldap_auth -b > cn=users,dc=dom1,dc=info,dc=co -D > cn=user1,cn=users,dc=dom1,dc=info,dc=co > -h 10.10.1.25 -w pass1 -S -f > "(&(cn=%u)(memberOf=cn=internet,cn=users,dc=dom1,dc=info,dc=co))" it seems that your external_acl definition is wrong, isn't it? You should use squid_ldap_group instead of squid_ldap_auth here. May be this is why you hace a different behavior when you have a good or a wrong authentication
Re: [squid-users] Squid + Ldap + Lotus Notes Problem
On Tue, 10 Feb 2004, William Mikanowski wrote: > I try, ldapsearch -x -D "UID=_Administrateur, O=DOM" > -W -b O=DOM "objectClass=*" > > But it doesnt retrieve the records. Should work. Is the bind successful? Regards Henrik
RE: [squid-users] squid ldap auth
Thank you for your help. I'm currently running 2.4STABLE7 so I will try upgrading to
2.5.
Rick Barns
-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: 26 June 2003 22:42
To: Barns,R
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] squid ldap auth
tor 2003-06-26 klockan 17.04 skrev Barns,R:
> I'm trying to use squid_ldap_auth and having read through the archives
> I'm still not certain of the manner for setting the searchbase.
The search base should be set to a DN below where all your users can be
found.
> Is it done in squid.conf in a similar manner to when using
> squid_ldap_auth on the command line,
Yes. The exact same manner, except that Squid does not understand
singlequotes ('), only doblequotes (") are understood. (Squid-2.5 and
later only.. squid-2.4 and earlier dis not allow for quoting of helper
arguments at all)
> or is it done when compiling squid_ldap_auth.
Current versions of squid_ldap_auth has command line flags for
everthing. There is no need to change the source for configuration.
Regards
Henrik
--
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]
Re: [squid-users] squid ldap auth
tor 2003-06-26 klockan 17.04 skrev Barns,R:
> I'm trying to use squid_ldap_auth and having read through the archives
> I'm still not certain of the manner for setting the searchbase.
The search base should be set to a DN below where all your users can be
found.
> Is it done in squid.conf in a similar manner to when using
> squid_ldap_auth on the command line,
Yes. The exact same manner, except that Squid does not understand
singlequotes ('), only doblequotes (") are understood. (Squid-2.5 and
later only.. squid-2.4 and earlier dis not allow for quoting of helper
arguments at all)
> or is it done when compiling squid_ldap_auth.
Current versions of squid_ldap_auth has command line flags for
everthing. There is no need to change the source for configuration.
Regards
Henrik
--
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]
