Re: [squid-users] squid_ldap_auth windows 2008 binddn user privileges?
I got your point, I have to find out what group the user need to be for this, I let u know asap. Now that say: "The minimum necessary privileges for that one action and the user account to remain usable may be changed by the AD authors without warning between patches/servicepacks to AD, or you may be using one of the non-AD alternative software with entirely different configuration. Either way it is difficult to document properly thus the wording "minimal privileges" is a bit of a copout, but clear enough" I got why none of the doc touch the user special privileges settings, need to go with windows users to ask for. Let me investigate, thanks. On Thu, Jul 4, 2013 at 10:45 PM, Amos Jeffries wrote: > On 5/07/2013 4:57 p.m., Beto Moreno wrote: >> >> Hi. >> >> I setup squid to authenticate with windows 2008R2 AD native using >> >> squid_ldap_auth >> >> My question is regarding of the user we use in the flag binddn, all >> the docs I had read just tell: >> >> "minimal privileges" >> >> I create a normal user, but squid_ldap_auth reject the user: >> >> squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials' >> >> But once I change the user to a domain admin, it works. >> >> Them windows is asking for a user with a special rights, some could >> clear my brain? > > > That user is *not* a normal account but the account the Squid helper uses to > login to AD itself to lookup the clients credentials with - validating > user:password and user:group pairs. That is the only task it does. The > minimum necessary privileges for that one action and the user account to > remain usable may be changed by the AD authors without warning between > patches/servicepacks to AD, or you may be using one of the non-AD > alternative software with entirely different configuration. Either way it is > difficult to document properly thus the wording "minimal privileges" is a > bit of a copout, but clear enough. > > ** It is important that they be _minimal_ priviliges on that user because > they are left hanging around in plain-text form in your squid.conf and also > the systems running-process listings which anyone can view. > > > Which doc did you read? the helper manual document as far back as I can find > documents it with a line indicating the parameter usage followed by that > "minimal associated privileges" notice. > > Amos
Re: [squid-users] squid_ldap_auth windows 2008 binddn user privileges?
On 5/07/2013 4:57 p.m., Beto Moreno wrote: Hi. I setup squid to authenticate with windows 2008R2 AD native using squid_ldap_auth My question is regarding of the user we use in the flag binddn, all the docs I had read just tell: "minimal privileges" I create a normal user, but squid_ldap_auth reject the user: squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials' But once I change the user to a domain admin, it works. Them windows is asking for a user with a special rights, some could clear my brain? That user is *not* a normal account but the account the Squid helper uses to login to AD itself to lookup the clients credentials with - validating user:password and user:group pairs. That is the only task it does. The minimum necessary privileges for that one action and the user account to remain usable may be changed by the AD authors without warning between patches/servicepacks to AD, or you may be using one of the non-AD alternative software with entirely different configuration. Either way it is difficult to document properly thus the wording "minimal privileges" is a bit of a copout, but clear enough. ** It is important that they be _minimal_ priviliges on that user because they are left hanging around in plain-text form in your squid.conf and also the systems running-process listings which anyone can view. Which doc did you read? the helper manual document as far back as I can find documents it with a line indicating the parameter usage followed by that "minimal associated privileges" notice. Amos
Re: [squid-users] squid_ldap_auth - authentication only after 3 try
On 4/04/2013 7:35 a.m., Pavel Bychykhin wrote: According to the documentation, setting keep_alive to "off" makes Squid more stable in some circumstances. I'm using "off" for keep_alive - no problems. 03.04.2013 20:58, Alípio Luiz пишет: I did a test setting the parameter keep_alive to off in auth_param negotiate. It worked... A question: Is there any problem on keeping the keep_alive parameter off? It is a hack added for IE6 and some other systems which assume HTTP/1.0 non-persistent connections and break badly when persistent connections fail to do auth handshake on the first try. Making Squid send Connection:close along with the first NTLM auth challenge response. Once the connection is authenticated the persistent connection stuff all works normally. The only problem with using it is that each NTLM login now requires two TCP connections causing an increase in TCP sockets cycling through TIME_WAIT. PS. I am about to commit a patch that fixes problems Safari was having with Squid-3.2 that may be related. If you are able to run squid-3.3 with a patch and would like to see if it resolves this issues as well I can send you a copy. Amos
Re: [squid-users] squid_ldap_auth - authentication only after 3 try
According to the documentation, setting keep_alive to "off" makes Squid more stable in some circumstances. I'm using "off" for keep_alive - no problems. 03.04.2013 20:58, Alípio Luiz пишет: I did a test setting the parameter keep_alive to off in auth_param negotiate. It worked... A question: Is there any problem on keeping the keep_alive parameter off? -- Best regards, Pavel
Re: [squid-users] squid_ldap_auth - authentication only after 3 try
I did a test setting the parameter keep_alive to off in auth_param negotiate. It worked... A question: Is there any problem on keeping the keep_alive parameter off? 2013/4/3 Pavel Bychykhin : > I had a similar problem solved it by running a two instance of Squid. > The first instance uses the negotiate_wrapper for GSSAPI and NTLM helpers. > The second one uses basic and digest schemes. > As i understand it, the fact is that the browsers themselves choose what > kind scheme to use. > I.e., one browser would prefer the negotiate scheme than basic. > Another browser would use the scheme that is first in the list. > > > 02.04.2013 21:39, Alípio Luiz пишет: > >> I have squid configured with kerberos (squid_kerb_auth) to >> authenticate users against Active Directory. The SSO is working well >> for users logged on domain... >> >> For users out of domain, I configured squid_ldap_auth + >> squid_ldap_group. However, the authentication only work after the >> third try of user... >> >> Is there a way to fix that? I want that users put their credentials >> just one time to authentication... >> Our OS is Windows XP and Windows 7.. both with EI9 + Firefox + Chrome >> >> May you help me? >> Thanks in advance... >> >> Bellow is what I have in squid.conf (section about authentication): >> # >> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s >> HTTP/server.domain.local >> auth_param negotiate children 10 >> auth_param negotiate keep_alive on >> >> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b >> "dc=domain,dc=local" -D squid@DOMAIN.LOCAL -w "@mypass" -f >> sAMAccountName=%s -h server.domain.local -d >> auth_param basic children 5 >> auth_param basic realm Internet Authentication >> auth_param basic credentialsttl 2 hours >> auth_param basic keep_alive off >> >> external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R >> -K -b "dc=domain,dc=local" -D squid@DOMAIN.LOCAL -w "@mypass" -f >> "(&(objectclass=person)(sAMAccountName=%v)(memberof=$ >> >> acl INTERNET_Perfil_Avancado external memberof INTERNET_Perfil_Avancado >> acl INTERNET_Perfil_Basico external memberof INTERNET_Perfil_Basico >> acl INTERNET_Perfil_Padrao external memberof INTERNET_Perfil_Padrao >> acl INTERNET_Perfil_Padrao_Sociais external memberof >> INTERNET_Perfil_Padrao_Sociais >> >> acl auth proxy_auth REQUIRED >> # >> -- >> Alípio Luiz [Squidy] | Brasil - Cuiabá/MT >> Email/GTalk: alipio.luiz [arroba] gmail.com >> Skype: alipio.luiz >> Linux User #251497 >> > > -- > Best regards, > Pavel -- Alípio Luiz [Squidy] | Brasil - Cuiabá/MT Email/GTalk: alipio.luiz [arroba] gmail.com MSN: alipio.luiz [arroba] hotmail.com Skype: alipio.luiz Linux User #251497
Re: [squid-users] squid_ldap_auth - authentication only after 3 try
I had a similar problem solved it by running a two instance of Squid. The first instance uses the negotiate_wrapper for GSSAPI and NTLM helpers. The second one uses basic and digest schemes. As i understand it, the fact is that the browsers themselves choose what kind scheme to use. I.e., one browser would prefer the negotiate scheme than basic. Another browser would use the scheme that is first in the list. 02.04.2013 21:39, Alípio Luiz пишет: I have squid configured with kerberos (squid_kerb_auth) to authenticate users against Active Directory. The SSO is working well for users logged on domain... For users out of domain, I configured squid_ldap_auth + squid_ldap_group. However, the authentication only work after the third try of user... Is there a way to fix that? I want that users put their credentials just one time to authentication... Our OS is Windows XP and Windows 7.. both with EI9 + Firefox + Chrome May you help me? Thanks in advance... Bellow is what I have in squid.conf (section about authentication): # auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s HTTP/server.domain.local auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=domain,dc=local" -D squid@DOMAIN.LOCAL -w "@mypass" -f sAMAccountName=%s -h server.domain.local -d auth_param basic children 5 auth_param basic realm Internet Authentication auth_param basic credentialsttl 2 hours auth_param basic keep_alive off external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b "dc=domain,dc=local" -D squid@DOMAIN.LOCAL -w "@mypass" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=$ acl INTERNET_Perfil_Avancado external memberof INTERNET_Perfil_Avancado acl INTERNET_Perfil_Basico external memberof INTERNET_Perfil_Basico acl INTERNET_Perfil_Padrao external memberof INTERNET_Perfil_Padrao acl INTERNET_Perfil_Padrao_Sociais external memberof INTERNET_Perfil_Padrao_Sociais acl auth proxy_auth REQUIRED # -- Alípio Luiz [Squidy] | Brasil - Cuiabá/MT Email/GTalk: alipio.luiz [arroba] gmail.com Skype: alipio.luiz Linux User #251497 -- Best regards, Pavel
Re: [squid-users] squid_ldap_auth with SASL/GSSAPI
15.06.2012 4:51, Amos Jeffries пишет: On 14/06/2012 11:25 p.m., Павел Бычихин wrote: 14.06.2012 13:11, Amos Jeffries пишет: On 14/06/2012 7:57 p.m., Павел Бычихин wrote: Hi! Is it possible to use squid_ldap_auth with SASL/GSSAPI (My SQUID ver. is 3.1.19) * LDAP is a database access protocol * SASL is a framework layer. * GSSAPI is a Windows function API. One guess which squid_ldap_auth uses? You want SASL you try to find the "SASL" auth helper. You want GSSAPI you try to find the "SSPI" auth helper (only available on Windows native builds). http://www.squid-cache.org/Doc/man/ (don't be fooled by the "Squid Version" column. That is only where the helper is documented for. Most of them exist in older Squid versions back to 2.6 but in an undocumented form which differ slightly from the 3.2 release helper) Amos I apologize for the inaccurate question. I need, that squid_ldap_auth did the authentication using Kerberos while connecting to Active Directory controler. Is it possible? Not with that helper, no. squid_ldap_auth takes in Basic authentication tokens. There is a different helper needed to perform Kerberos over LDAP. http://squidkerbauth.sourceforge.net/ Amos Amos Thank you, Amos. I'll try it. -- С уважением, Павел Бычихин КП "ХТС" тел. (057) 758-84-12
Re: [squid-users] squid_ldap_auth with SASL/GSSAPI
On 14/06/2012 11:25 p.m., Павел Бычихин wrote: 14.06.2012 13:11, Amos Jeffries пишет: On 14/06/2012 7:57 p.m., Павел Бычихин wrote: Hi! Is it possible to use squid_ldap_auth with SASL/GSSAPI (My SQUID ver. is 3.1.19) * LDAP is a database access protocol * SASL is a framework layer. * GSSAPI is a Windows function API. One guess which squid_ldap_auth uses? You want SASL you try to find the "SASL" auth helper. You want GSSAPI you try to find the "SSPI" auth helper (only available on Windows native builds). http://www.squid-cache.org/Doc/man/ (don't be fooled by the "Squid Version" column. That is only where the helper is documented for. Most of them exist in older Squid versions back to 2.6 but in an undocumented form which differ slightly from the 3.2 release helper) Amos I apologize for the inaccurate question. I need, that squid_ldap_auth did the authentication using Kerberos while connecting to Active Directory controler. Is it possible? Not with that helper, no. squid_ldap_auth takes in Basic authentication tokens. There is a different helper needed to perform Kerberos over LDAP. http://squidkerbauth.sourceforge.net/ Amos Amos
Re: [squid-users] squid_ldap_auth with SASL/GSSAPI
14.06.2012 13:11, Amos Jeffries пишет: On 14/06/2012 7:57 p.m., Павел Бычихин wrote: Hi! Is it possible to use squid_ldap_auth with SASL/GSSAPI (My SQUID ver. is 3.1.19) * LDAP is a database access protocol * SASL is a framework layer. * GSSAPI is a Windows function API. One guess which squid_ldap_auth uses? You want SASL you try to find the "SASL" auth helper. You want GSSAPI you try to find the "SSPI" auth helper (only available on Windows native builds). http://www.squid-cache.org/Doc/man/ (don't be fooled by the "Squid Version" column. That is only where the helper is documented for. Most of them exist in older Squid versions back to 2.6 but in an undocumented form which differ slightly from the 3.2 release helper) Amos I apologize for the inaccurate question. I need, that squid_ldap_auth did the authentication using Kerberos while connecting to Active Directory controler. Is it possible? -- С уважением, Павел Бычихин КП "ХТС" тел. (057) 758-84-12
Re: [squid-users] squid_ldap_auth with SASL/GSSAPI
On 14/06/2012 7:57 p.m., Павел Бычихин wrote: Hi! Is it possible to use squid_ldap_auth with SASL/GSSAPI (My SQUID ver. is 3.1.19) * LDAP is a database access protocol * SASL is a framework layer. * GSSAPI is a Windows function API. One guess which squid_ldap_auth uses? You want SASL you try to find the "SASL" auth helper. You want GSSAPI you try to find the "SSPI" auth helper (only available on Windows native builds). http://www.squid-cache.org/Doc/man/ (don't be fooled by the "Squid Version" column. That is only where the helper is documented for. Most of them exist in older Squid versions back to 2.6 but in an undocumented form which differ slightly from the 3.2 release helper) Amos
Re: [squid-users] squid_ldap_auth to AD user credentials?
On 19/04/2012 6:59 p.m., Beto Moreno wrote: Hi people. I had been reading info about squid_ldap_auth vs windows 2003 AD server, I have some questions that would like to know if someone can clear my brain. squid 2.7.x. http://www.squid-cache.org/Versions/v2/2.HEAD/manuals/squid_ldap_auth.html Went a user have special characters on his password, once the browser open the credential window it won't accept the user password and the cache.log say: squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials' Some knows this rare thing? LDAP uses the word "bind" to mean query parameters for searching the directory/database for something. Adding the debug (-d) option may explain a bit. Second, what is the different between this to settings: auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v 3 -b dc=example,dc=local -D cn=squid,cn=Users,dc=example,dc=local -w password -f "sAMAccountName=%s" -u uid -P 192.168.50.104:389 auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v 3 -b dc=example,dc=local -D "squid@example.local" -w password -f "sAMAccountName=%s" -u uid -P 192.168.50.104:389 The LDAP account used by Squid (-D option) differs in its representation syntax. see LDAP protocol for what it all means. Both works. Last thing, do we need to use a super-user from AD to bind to the AD server? or we just need a normal user? You just said the "squid@example.local" account worked. Minimal privileges is recommended. Amos
Re: [squid-users] squid_ldap_auth - Thousands of Requests
> > > The "squid_ldap_auth:" lines are coming from the helper. The problems > > is exactly as stated, the LDAP server is not answering connection > > requests. > > > > The "commBind:" lines are from squid itself. Squid-2 always uses > > bind(), even if there is no address being bound. That message > > indicates there is no socket available to be dedicated on the link or > > the stack is getting confused. > > > > It seems like your kernel or networking is not able to cope with the > > number of TCP sockets those thousands of requests are needing to use. > > > I maybe should have made it clearer that these are hundreds of requests per second. I can easily understand how a part of the overall process is getting overloaded with this rate of traffic however I have only 150 users and this is a new problem. I've been running with the same config for the last 3 months or so >> >> >> > > > > Check some of the HTTP headers arriving into Squid. Base-64 decoding > > the "random" letter string on the Proxy-Authorization: should come on > > up with "username:password". If the username is actually missing it is > > probably malicious. > > > > For these auth symptoms on a forward proxy it would be suspicious > > stuff coming out of the LAN to look for. Infected clients, broken > > software becoming popular, etc. > > > > > > Amos > Malicious/viral was/is my suspicion but as yet I can't find anything in the tcpdump to indicate the problem machine. The username in the LDAP query is definitely blank and I'm only seeing the LDAP requests without a corresponding inbound auth attempt/get/connect etc. My machines are all fully patched and have current up-to-date anti-virus so I'm kind of at a loss. The problem does go away as my users go home and comes back the following day which also indicates malicious/viral so I guess I'll have to just try to isolate them into smaller groups to try and narrow it down If you have any other suggestions please let me know Thanks Paul
Re: [squid-users] squid_ldap_auth - Thousands of Requests
On 10/03/11 00:04, Paul wrote: In the last 24 hours I've started seeing thousands of requests to my LDAP server being sent by the squid_ldap_auth helper. In my cache.log I'm seeing hundreds of "squid_ldap_auth: WARNING, LDAP search error 'Can't contact LDAP server'" entries, interspersed with "2011/03/09 10:49:29| commBind: Cannot bind socket FD 76 to *:0: (98) Address already in use". The CPU usage on my LDAP sever is extremely high and this is obviously causing problem for my users The "squid_ldap_auth:" lines are coming from the helper. The problems is exactly as stated, the LDAP server is not answering connection requests. The "commBind:" lines are from squid itself. Squid-2 always uses bind(), even if there is no address being bound. That message indicates there is no socket available to be dedicated on the link or the stack is getting confused. It seems like your kernel or networking is not able to cope with the number of TCP sockets those thousands of requests are needing to use. tcpdump shows the requests going to the LDAP server have no "user" information i.e cn..none.*..groupMembership..cn=InternetAccess,o=org and that for each request to LDAP there is NO corresponding request to Squid. It's as if a process on one of my internal machines is sending a request in such a way that the squid_ldap_auth helper is getting stuck yet I can't see this in the tcpdump trace either. Check some of the HTTP headers arriving into Squid. Base-64 decoding the "random" letter string on the Proxy-Authorization: should come on up with "username:password". If the username is actually missing it is probably malicious. Reloading or restarting Squid relieves the problem for a short while but it soon reoccurs I'm using Squid 2.7Stable6-6.1 on openSuSE_11.3 64 bit with all modules up to date from the official SuSE repos. Squid is a forward proxy only and there is nothing suspicious coming from the Internet at large For these auth symptoms on a forward proxy it would be suspicious stuff coming out of the LAN to look for. Infected clients, broken software becoming popular, etc. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
Re: [squid-users] squid_ldap_auth
Le mardi 4 mai 2010 14:10:00, burbankmarc a écrit : > Hey all, > > I have ldap authentication working in squid 3.1.3, and it works > wellexcept that the user has to authenticate everytime they open a > browser window. All the users are XP using IE. I have another squid (2.5) > instance running using NTLM and they only need to type in their credentials > when their password changes. > > Is there a way to get similar functionality using squid_ldap_auth? Unfortunatly that behaivoir is perfectly well in basic auth, every new window or you IE doesnt know what session has other and they no share previews autehtnication. But if you do a Ctrl+ t (new tab) IE (or mozilla) wont ask for new password. with ntlm is the same, but borwser sends password for you :) maybe programin an external acl to keep track of what ips are being used and if there's an already authenticated session with X ip, next X ip wont need password. but be careful, you will lose usernames at logfile LD
Re: [squid-users] squid_ldap_auth \5c issue
lör 2009-10-31 klockan 21:23 +0800 skrev Hendrik Suantio: > Basically internet explorer or other browser will automatically insert > username "foo\jack" and password the same as login password for the > authentication, but when I check with : No it won't. MSIE can perform authmatic NTLM authentication which results in usernames like that, but when using basic authentication the user has to enter his login. > foo\jack somepassword > > Then, the debug will says that : > user filter 'sAMAccountName=foo\5cjack' This is the same as foo\jack in LDAP syntax. \ is a reserved/special character in LDAP and needs special treatment and is why it shows up as \5c here. \5c in a search filter matches a literal \ in the LDAP field. Regards Henrik
Re: [squid-users] squid_ldap_auth failure
Benjamin Fleckenstein wrote: Hi there, I've tried to set up a connection from a Squid Proxy (Version 2.6.STABLE10) to our AD Server (Windows 2003 Server). I've already tried several commands but there always appears an error. I already checked different forums and manuals but I don't get the connection to work. For testing the connection I've tried the following command: ./squid_ldap_auth -R -b "dc=my,dc=domain" -D "cn=username,dc=my,dc=domain" -w "password" -f sAMAccountName=%s -h <>:389 username password squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials' ERR Invalid credentials The user and password is correct. The Wiki shows different options used when querying a Win2k3 server: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap#head-3793850746c1c1e7a0108faa8ae46f33bdd57bd9 I'd suggest trying... ./squid_ldap_auth -v 3 -b "dc=my,dc=domain" -D "cn=username,ou=Generic User Accounts,dc=my,dc=domain" -w "password" -f sAMAccountName=%s -h <> ...or just going with the Windows AD authentication: http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory I've installed the ADSnapshot Tool to test if the user is able to quering the ldap server. That works! Does anybody has an idea why I always get that error and what I could try to bring this to work? Could it be a bug or is there something wrong with my query? For any help any ideas I would be thankful! Lukas Chris
Re: [squid-users] squid_ldap_auth question
Les Halliday wrote: --- regards, les halliday d...@eksjo.se tel 0381 36627 "Mariano Aller" 02/27/09 1:18 PM >>> Thanks Amos. -Mensaje original- De: Amos Jeffries [mailto:squ...@treenet.co.nz] Enviado el: viernes, 27 de febrero de 2009 10:13 a.m. Para: Mariano Aller CC: squid-users@squid-cache.org Asunto: Re: [squid-users] squid_ldap_auth question Mariano Aller wrote: Amos Has problems or dosnt support it ? Mariano. Problems. Maybe these will help you track the issue down: http://www.squid-cache.org/mail-archive/squid-users/200407/0845.html Or there is a patch if it turns out to be the charset problem: http://www.squid-cache.org/Versions/v2/HEAD/changesets/12298.patch Amos Mariano If you download and compile 2.7 HEAD the patch has been applied. There is a new configuration option in squid.conf. "auth_param basic utf8" set it to on auth_param basic utf8 on It works for me with the swedish characters. Good luck. FYI: 2.HEAD or 3.1 betas. Though the docs were omitted from the 3.1 release notes somehow :( Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
RE: [squid-users] squid_ldap_auth question
--- regards, les halliday d...@eksjo.se tel 0381 36627 >>> "Mariano Aller" 02/27/09 1:18 PM >>> >Thanks Amos. -Mensaje original- De: Amos Jeffries [mailto:squ...@treenet.co.nz] Enviado el: viernes, 27 de febrero de 2009 10:13 a.m. Para: Mariano Aller CC: squid-users@squid-cache.org Asunto: Re: [squid-users] squid_ldap_auth question Mariano Aller wrote: >> Amos > > Has problems or dosnt support it ? > >> Mariano. > >Problems. >Maybe these will help you track the issue down: >http://www.squid-cache.org/mail-archive/squid-users/200407/0845.html >Or there is a patch if it turns out to be the charset problem: >http://www.squid-cache.org/Versions/v2/HEAD/changesets/12298.patch >Amos Mariano If you download and compile 2.7 HEAD the patch has been applied. There is a new configuration option in squid.conf. "auth_param basic utf8" set it to on auth_param basic utf8 on It works for me with the swedish characters. Good luck. This message has been scanned for malware by Websense. www.websense.com
RE: [squid-users] squid_ldap_auth question
Thanks Amos. -Mensaje original- De: Amos Jeffries [mailto:squ...@treenet.co.nz] Enviado el: viernes, 27 de febrero de 2009 10:13 a.m. Para: Mariano Aller CC: squid-users@squid-cache.org Asunto: Re: [squid-users] squid_ldap_auth question Mariano Aller wrote: > Amos > Has problems or dosnt support it ? > > Mariano. > Problems. Maybe these will help you track the issue down: http://www.squid-cache.org/mail-archive/squid-users/200407/0845.html Or there is a patch if it turns out to be the charset problem: http://www.squid-cache.org/Versions/v2/HEAD/changesets/12298.patch Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.3/1971 - Release Date: 02/27/09 07:05:00
Re: [squid-users] squid_ldap_auth question
Mariano Aller wrote: Amos Has problems or dosnt support it ? Mariano. Problems. Maybe these will help you track the issue down: http://www.squid-cache.org/mail-archive/squid-users/200407/0845.html Or there is a patch if it turns out to be the charset problem: http://www.squid-cache.org/Versions/v2/HEAD/changesets/12298.patch Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
Re: [squid-users] squid_ldap_auth question
Mariano Aller wrote: Im trying to autheticate and authorize users of MS active directory (Win2003) with squid_ldap_auth and squid_ldap_group , it’s work fine but I have some users (ie muñoa, peña) that can’t. Its possible ? Squid has problems with non-us-ASCII characters in usernames. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
Re: [squid-users] squid_ldap_auth and passwords in clear text
Henrik, I have tried LDAP authentication in the past and stop using it becouse of the passwords being sent in clear text. I read about TLS but then I would need my DC to be a CA and that is not feasible at the moment. So Im testing NTLMSSP now, but is not being very stable and also read that is not recommended for networks with more than 200 users. Is this the end of the road? Is there any other method Im missing to authenticate users against AD?Transparently? Thanks, On Tue, Nov 18, 2008 at 6:59 AM, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > On fre, 2008-11-14 at 10:31 -0600, Johnson, S wrote: > >> I just got the squid_ldap_auth working ok on my segment but when >> watching the protocol analyzer I see that the auth requests against the >> AD are coming in as clear text passwords. Is there anyway we can >> encrypt the ldap domain requests? > > By AD do you refer to Microsoft AD? In such case use NTLM authentication > instead of LDAP. > > You can also TLS encrypt the LDAP communication, but this does not > protect the credentials sent by browsers to Squid, just the > communication squid->LDAP. > > Regards > Henrik > > >
Re: [squid-users] squid_ldap_auth and passwords in clear text
On fre, 2008-11-14 at 10:31 -0600, Johnson, S wrote: > I just got the squid_ldap_auth working ok on my segment but when > watching the protocol analyzer I see that the auth requests against the > AD are coming in as clear text passwords. Is there anyway we can > encrypt the ldap domain requests? By AD do you refer to Microsoft AD? In such case use NTLM authentication instead of LDAP. You can also TLS encrypt the LDAP communication, but this does not protect the credentials sent by browsers to Squid, just the communication squid->LDAP. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] squid_ldap_auth and passwords in clear text
Johnson, S wrote: Since this is going to be a "public" network, people will have the ability to load wireshark or another sniffer program. Ah, okay. I just got the squid_ldap_auth working ok on my segment but when watching the protocol analyzer I see that the auth requests against the AD are coming in as clear text passwords. Is there anyway we can encrypt the ldap domain requests? digest auth is the best available for password encryption. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
Re: [squid-users] squid_ldap_auth + ad2003
But I have restructured AD2003. And groups changed to organization unit. I changed my message on the nabble.com. I have my users: in a OU=Unibel, user=unibel and in a default container 'Users' user=squidtest. Authentication for users in the 'Users' container works well: ./squid_ldap_auth -u cn -b "cn=Users,dc=bsuir,dc=by" 172.16.83.1 squidtest squidtest OK How do I check authentication for users in the Organization Unit? What command line parameters for squid_ldap_auth use? I saw the squid_ldap_auth manual, but I do not help solve the problem. Tried recording format: ./squid_ldap_auth -b "ou=Unibel,dc=bsuir,dc=by" 172.16.83.1 unibel unibel ERR Success please help me Regards Andrew Matskevich -- View this message in context: http://www.nabble.com/squid_ldap_auth-%2B-ad2003-tp14948010p14996691.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] squid_ldap_auth + ad2003
Klaubert Herr da Silveira-2 wrote: > > Andrew, > > by my quick research the group "Domain Users" are a special group, and > are not a good group do this job, maybe is better to use other group > where you turn all users members off it. > > To include a check of group you should use a ldap filter in your > request, something like this: > -f "(&(objectClass=person)(memberOf=CN=Manual Domain Users, > CN=Users,dc=bsuir,dc=by))" > > A good reference is http://workaround.org/moin/SquidLdap. > > []'s > Klaubert > > > On Jan 18, 2008 6:36 AM, koluchy <[EMAIL PROTECTED]> wrote: >> >> I have my users in a group at the 'Domain Users', default container >> 'Users'. >> >> Authentication for users in the 'Users' container works well: >> ./squid_ldap_auth -u cn -b "cn=Users,dc=bsuir,dc=by" 172.16.83.1 >> squidtest squidtest >> OK >> >> How do I check authentication for users in the 'Domain Users'group in a >> container Users? What command line parameters for squid_ldap_auth use? >> >> I saw the squid_ldap_auth manual, but I do not help solve the problem. >> >> please help me >> >> Regards >>Andrew Matskevich >> -- >> View this message in context: >> http://www.nabble.com/squid_ldap_auth-%2B-ad2003-tp14948010p14948010.html >> Sent from the Squid - Users mailing list archive at Nabble.com. >> >> > > Thanks thanks thanks -- View this message in context: http://www.nabble.com/squid_ldap_auth-%2B-ad2003-tp14948010p14996501.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] squid_ldap_auth + ad2003
Andrew, by my quick research the group "Domain Users" are a special group, and are not a good group do this job, maybe is better to use other group where you turn all users members off it. To include a check of group you should use a ldap filter in your request, something like this: -f "(&(objectClass=person)(memberOf=CN=Manual Domain Users, CN=Users,dc=bsuir,dc=by))" A good reference is http://workaround.org/moin/SquidLdap. []'s Klaubert On Jan 18, 2008 6:36 AM, koluchy <[EMAIL PROTECTED]> wrote: > > I have my users in a group at the 'Domain Users', default container 'Users'. > > Authentication for users in the 'Users' container works well: > ./squid_ldap_auth -u cn -b "cn=Users,dc=bsuir,dc=by" 172.16.83.1 > squidtest squidtest > OK > > How do I check authentication for users in the 'Domain Users'group in a > container Users? What command line parameters for squid_ldap_auth use? > > I saw the squid_ldap_auth manual, but I do not help solve the problem. > > please help me > > Regards >Andrew Matskevich > -- > View this message in context: > http://www.nabble.com/squid_ldap_auth-%2B-ad2003-tp14948010p14948010.html > Sent from the Squid - Users mailing list archive at Nabble.com. > >
Re: [squid-users] squid_ldap_auth : Can't contact LDAP Server
On fre, 2007-09-21 at 17:23 +0100, Darren Durbin wrote: > I'm using the following in the squid.conf (edited to remove site info) : > > auth_param basic program /usr/lib/squid/squid_ldap_auth -f > "SamAccountName=%s" -d -b "dc=company,dc=co,dc=uk" -D > "cn=,cn=Users,dc=company,dc=co,dc=uk" -P -w "" -h > "dc-1.company.co.uk" -p 3268 > > If I enter this from the command line, enter a suitable > username/password then I get: > > user filter 'SamAccountName=', searchbase > 'dc=company,dc=co,dc=uk' > attempting to authenticate user > 'CN=,CN=Users,DC=company,DC=co,DC=uk' > OK > > Which seems great, but I can't get it to work in squid! Can't see anything wrong. Should work.. Hmmm.. Fedora Core you say.. have you tried disabling SELinux? Not sure what the default Squid SELinux profile look like... Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] squid_ldap_auth
ons 2007-03-07 klockan 10:32 +0500 skrev Eugene M. Zheganin: > But I still have the same problem with spaces. > > So, I have the > > acl ad-internet-users externalldap_group Internet Users - > Proxy1 > > line in config. Ah, I thougt you was talking about usernames with spaces in them, not groups. To have acl elements defined with spaces in them you currently need to use an included acl file. The squid.conf parser does not support any escaping or quoting.. acl ad-internet-users externalldap_group "/path/to/ad-internet-users.txt" and in the ad-internet-users.txt file specify the group name(s) one per line. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid_ldap_auth
Hi, Henrik. Henrik Nordstrom wrote: 2) the RFC rfc2254 defined the excaping of the characeters. it doesnt say that spaces need to be escaped, but, since squid_ldap_group doesn't accept neither quotes nor doublequotes, I tried to use RFC2254 escaping when using squid_ldap_group from shell. See the external_acl_type directive for a description of the format used between Squid and the helper.. If protocol=3.0 (the default) then URL escaping is used to protect each value in both requests and responses. If using protocol=2.5 then all values need to be enclosed in quotes if they may contain whitespace, or the whitespace escaped using \. And quotes or \ characters within the keyword value must be \ escaped. Usernames with spaces in them should work fine in your Squid. To test manually from the command line you need to properly escape the input to the helper. As you are using Squid-2.6 the input should be URL-escaped using %20 as space. Thanks for the explanation of the ttl parameter, now it works fine. But I still have the same problem with spaces. So, I have the acl ad-internet-users externalldap_group Internet Users - Proxy1 line in config. And helper uses the protocol 3.0. When it looks as above squid thinks that this is the list of groups, and parses them sequentually one after one. With the look like this acl ad-internet-users externalldap_group Internet%20Users%20-%20Proxy1 (which works fine from the commandline test) it looks like those symbols are passed to helper in some escaped way, because they appear in helper's debug log :(. So when launched from shell I get (manually inserting Internet%20Users%20-%20Proxy1): %./squid_ldap_group -d -b cn=Users,dc=domain,dc=local-f "(&(cn=%g)(member=%u)(objectClass=group))" -F "sAMAccountname=%s" -D cn=dca,cn=Users,dc=domain,dc=local -w somepass -h 192.168.3.6 -v 3 -p 389 emz Internet%20Users%20-%20Proxy1 Connected OK user filter 'sAMAccountname=emz', searchbase 'cn=Users,dc=domain,dc=local' group filter '(&(cn=Internet Users - Proxy1)(member=CN=Some User,CN=Users,DC=domain,DC=local)(objectCla ss=group))', searchbase 'cn=Users,dc=domain,dc=local' OK (all is fine) When used in squid config (from the last example above) I see those lines in cache.log: Connected OK user filter 'sAMAccountname=emz', searchbase 'cn=Users,dc=domain,dc=local' group filter '(&(cn=Internet%20Users%20-%20Proxy1)(member=CN=Some User,CN=Users,DC=domain,DC=local) (objectClass=group))', searchbase 'cn=Users,dc=domain,dc=local' and I suppose this confuses helper, as squid doesn't allow this user to get his requested web-page. I also tried to use 'protocol=2.5' parameter as the helper argument in squid config (edited the config, stopped squid, started squid again). I get the following results with it: Internet\ Users\ -\ Proxy1 - '\' escaped as \5c, space trimmed "Internet Users - Proxy1" - I get 'strToFile Internet not found' message 'Internet Users - Proxy1' - I get the same message. Internet Users - Proxy1 - not tried, because its clear that squid will think that its a list. So I still don't understand how to uses spaces. Forgive me my possible dumbness, but can you give me any further advices ? Thanks. Eugene.
Re: [squid-users] squid_ldap_auth
mån 2007-03-05 klockan 16:35 +0500 skrev Eugene M. Zheganin: > I have read about the squid_ldap_group and decided to use it, because it > restores the config management scheme back to its base. I successfully > created and set up all the needed acls, removed the blocking acls and > start using squid_ldap_group. Good. > However, I've encountered some of regrettable weaknesses in it. > > 1) the best benefit of using 'ntlm_auth' and > '--require-membership-of=[bla-bla]' was immediate effect on the user. > Immidiately after the adding user in the 'Internet Users' group he was > able to start using proxy. In the case of 'squid_ldap_group' changes are > visible immidiately too, but only when using the helper from a shell. > When using it with the proxy, squid needs to be '-k reconfigure'd after > each LDAP group modification. Can this behavior be evaded ? Is this a > squid limitation or some of my errors in its configuration ? The same is true with squid_ldap_auth, but you need to shorten the negative TTL. See the external_acl_type directive. The default is one hour which is a bit much for what you are doing.. > 2) the RFC rfc2254 defined the excaping of the characeters. it doesnt > say that spaces need to be escaped, but, since squid_ldap_group doesn't > accept neither quotes nor doublequotes, I tried to use RFC2254 escaping > when using squid_ldap_group from shell. See the external_acl_type directive for a description of the format used between Squid and the helper.. If protocol=3.0 (the default) then URL escaping is used to protect each value in both requests and responses. If using protocol=2.5 then all values need to be enclosed in quotes if they may contain whitespace, or the whitespace escaped using \. And quotes or \ characters within the keyword value must be \ escaped. > It doesnt workd, because squid > replaces '\20' to '\5c20' (for some reason). \5c20 is the text \20 escaped per RFC2254. > However, the RFC2254 > escaping works when using from 'ldapsearch' tool. Yes, thats because you are specifying the LDAP search filter manually. This syntax also has to be used in the filter argument(s) to squid_ldap_group. But you should not need to escape the space character in LDAP search filters, it's not a reserved character. > So at the moment I'm > limited to the use of the AD names without spaces in them. (and the > question is of course - will this be fixed or may be extended ?) Usernames with spaces in them should work fine in your Squid. To test manually from the command line you need to properly escape the input to the helper. As you are using Squid-2.6 the input should be URL-escaped using %20 as space. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid_ldap_auth: Could not Activate TLS connection
tis 2006-12-19 klockan 16:07 +0100 skrev [EMAIL PROTECTED]: > I'm using squid_ldap_auth to authenticate against our LDAP server. > Our LDAP server accepts only ldaps (port 636) and anonymouse simple bind is > disabled. > And now my problem... squid_ldap_auth doesn't work: > $ echo " " | /usr/local/squid/libexec/squid_ldap_auth -u cn > -b o=xxx -f "(&(cn=)(groupMembership=cn=xxx,o=xxx))" -H > ldaps://server.domain -v 3 -Z > Could not Activate TLS connection Hmm.. I don't think you can mix both ldaps (LDAP over SSL/TLS) and TLS (TLS encryption within LDAP).. That would be double encryption and probably not supported neither by OpenLDAP or your server. Try without -Z. Also note that ldaps is considered obsolete, and any new LDAPv3 implementations should use TLS instead. ldaps is only specified for LDAPv2. But most LDAPv3 implementations also supporting LDAPv2 supports ldaps for LDAPv3 as well. Also if anonymous simple bind is disabled then you need to provide an account squid_ldap_auth should use while performing the searches. But that's the next step in the process after the connection has been established.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid_ldap_auth basic against Windows AD: Don't ask for user/password
Yes, that's it. Now I will try to understand it. http_access rules are acknowledged on a first match basis, therefore you must write an AND(ed) condition, stating the both conditions must be met : http_access allow internal_net domainusers M.
Re: [squid-users] squid_ldap_auth basic against Windows AD: Don't ask for user/password
Yes, that's it. Now I will try to understand it. Thank you. Marcelo Koehler Wed, 25 Oct 2006 16:35:17 +0200, "Mark Elsen" <[EMAIL PROTECTED]> escreveu: > > > >http_access allow internalnet > >http_access allow domainusers > >... > > Try : > > http_access allow internalnet domainusers > > (don't forget 'squid -k reconfigure') > > M. > > >
Re: [squid-users] squid_ldap_auth basic against Windows AD: Don't ask for user/password
http_access allow internalnet http_access allow domainusers ... Try : http_access allow internalnet domainusers (don't forget 'squid -k reconfigure') M.
RE: [squid-users] squid_ldap_auth to authten ticate on Active Directory 2000
Henrik, Here is what we did and it worked. I hope that it will help you. In AD I created an OU internetusers and specified it where I needed to. Under auth_param auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=dunns,dc=co,dc=za" -w "ldappassword" -f sAMAccountName=%s -h (IP of DC) Under External ACL external_acl_type internetusergroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=dunns,dc=co,dc=za" -w "ldappassword" -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=internetusers,OU=Dunns Groups,OU=Dunns,dc=dunns,dc=co,dc=za))" -h (IP of DC) Under acl acl ldappassword proxy_auth REQUIRED acl internetgroup external internetusergroup internetusers Janco v.d Merwe Network Administrator Dunns Stores (PTY) Ltd Switchboard: 011 541 3000 Direct: 011 541 3007 Fax: 086 632 1708 -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 01 August, 2006 08:30 To: sOngUs Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid_ldap_auth to authtenticate on Active Directory 2000 mån 2006-07-31 klockan 11:18 -0600 skrev sOngUs: > squid_ldap_auth -R -b cn=users,dc=mydomain,dc=com -D > "cn=administrator,cn=Users,dc=mydomain,dc=com" -w mypassword -f > sAMAccountName=%s -h 192.168.0.1 (which is the IP address of the AD > server.) > > But then id does nothing and if i press ENTER i get "ERR"... You have to give something to work on, i.e. a username and password usernamepassword > Now.. the question is... which dependencies does this module have? > cause i compiled squid with the right option (i think.. otherwise > squid_ldap_auth wont be there...) none.. > And installed Openldap so ill have libldap... do i need to install > anything else? nope. > I turned on a sniffer on the box, but there is no trace of any ldap conn... > so im guessing im missing something... the LDAP connection is opened when there is a query to resolve. Regards Henrik This communication and any attachments are confidential and intended for the sole use of the intended recipient. Any form of copying or disclosure of this communication to any third parties without permission is prohibited. The contents of this communication and its attachments are not intended to be relied upon in law without subsequent written confirmation. As such, Dunns Stores (Pty) Ltd accept no responsibility or liability (including negligence) for the consequences of anyone acting, or not acting, on information contained therein. If you have received this communication in error please notify us immediately and destroy or delete it.
Re: [squid-users] squid_ldap_auth to authtenticate on Active Directory 2000
mån 2006-07-31 klockan 11:18 -0600 skrev sOngUs: > squid_ldap_auth -R -b cn=users,dc=mydomain,dc=com -D > "cn=administrator,cn=Users,dc=mydomain,dc=com" -w mypassword -f > sAMAccountName=%s -h 192.168.0.1 (which is the IP address of the AD > server.) > > But then id does nothing and if i press ENTER i get "ERR"... You have to give something to work on, i.e. a username and password usernamepassword > Now.. the question is... which dependencies does this module have? > cause i compiled squid with the right option (i think.. otherwise > squid_ldap_auth wont be there...) none.. > And installed Openldap so ill have libldap... do i need to install > anything else? nope. > I turned on a sniffer on the box, but there is no trace of any ldap conn... > so im guessing im missing something... the LDAP connection is opened when there is a query to resolve. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid_ldap_auth helpers with active directory
Hi all, Problem solved :) There were two problems: 1. You MUST use -v 3 as option for squid_ldap_auth 2. My search filter was wrong Now all works great! Best regards, Chris ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192
Re: [squid-users] squid_ldap_auth helpers with active directory
I thought you have to use the DN (CN=UsersCommonName,OU=UsersOrgUnit,DC=Domain) for the user with which you connect (-D flag).. I've never used squid_ldap_auth, but for squid_ldap_group that's how I got it working. BTW, on your second command line there is a " missing after [EMAIL PROTECTED] If you use AD, have you given ntlm_auth (not that difficult to implement) a try to avoid the password to travel completely unencrypted? just my 2 cents, Francois [EMAIL PROTECTED] wrote: Hello all, i have a problem with the squid_ldap_auth helpers. I'm trying to authenticate against an Active Directory (W3K). For the following command this works fine: ./squid_ldap_auth -b "ou=myOU,dc=foo,dc=domain,dc=com" -s sub -D "[EMAIL PROTECTED]" -w squidpwd -f "(&(objectcategory=person)(objectclass=user))" -h 10.45.100.10 -p 389 user1 pwd1 OK The directory structure looks like this dc=foo,dc=domain,dc=com ou=myOU ou=org1 ou=org2 ou=org3 ...and so on. So i want to use "dc=foo,dc=domain,dc=com" as a more generic search base. I want to authenticate all users regardless of the OU they are in. But if i do this i get the following errors: ./squid_ldap_auth -b "dc=foo,dc=domain,dc=com" -s sub -D "[EMAIL PROTECTED] -w squidpwd -f "(&(objectcategory=person)(objectclass=user))" -h 10.45.100.10 -p 389 user1 pwd1 squid_ldap_auth: WARNING, LDAP search error 'Can't contact LDAP server' ERR Success Things i tried so far: Moving the squid user (user i use for the bind to the ad) from cn=Users to the root. Nothing changed. Tried an ldapsearch with the mentioned searchfilter. Works. Any suggestions? Thanks a lot, Chris ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192
RE: [squid-users] squid_ldap_auth and filters
/usr/local/squid/libexec/squid_ldap_auth \ -h ldapserver \ -b "dc=emea,company,dc=com" \ -f sAMAccountName=%s -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 13, 2006 4:28 PM To: [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Subject: AW: [squid-users] squid_ldap_auth and filters No, it does not work without an ou-part (what I had tried before): /usr/local/squid/libexec/squid_ldap_auth \ -h ldapserver \ -D "cn=adminaccount,ou=Service Accounts,ou=_SiteMgmt,ou=BNN,ou=DE,dc=emea,dc=company,dc=com" \ -w "topsecret" \ -b "dc=emea,dc=company,dc=com" \ -f sAMAccountName=%s gives the error message squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Success Any ideas? Werner Rost >>> squid_ldap_auth (of Squid 2.5 Stable 12) works fine with >>this script: >>> >>> /usr/local/squid/libexec/squid_ldap_auth \ >>> -h ldapserver \ >>> -D "cn=adminaccount,ou=Service >>Accounts,ou=_SiteMgmt,ou=BNN,ou=DE,dc=emea,dc=company,dc=com" \ >>> -w "topsecret" \ >>> -b "ou=DE,dc=emea,company,dc=com" \ >>> -f sAMAccountName=%s >>> >>> But our AD structure looks like: >>> >>> emea.company.com >>>CH >>>CZ >>>DE >>>DK >>>ES >>>... >>> >>> >>> The script above should say "OK" if the user is valid in ou=DE or >>> ou=CH or ou=CZ or ... >>> >>> I guess I need an intelligent filter "-f" to do this. Any ideas? >> >> >>Should work by just moving up the base DN to >>"dc=emea,dc=company,dc=com". This will search in all the ou:s >>in the LDAP tree. >> >>To ensure there is no mistakes I would make the filter a >>little more explicit, only looking for user objects. >>Unfortunately I do not remember the objectClass used in AD >>for normal users... but it will work either way (just that >>without this it is technically possible to log on using a >>workstation account or similar provided you can guess the password..) >> >>Regards >>Henrik >>
Re: [squid-users] squid_ldap_auth and filters
fre 2006-03-10 klockan 12:27 +0100 skrev [EMAIL PROTECTED]: > squid_ldap_auth (of Squid 2.5 Stable 12) works fine with this script: > > /usr/local/squid/libexec/squid_ldap_auth \ > -h ldapserver \ > -D "cn=adminaccount,ou=Service > Accounts,ou=_SiteMgmt,ou=BNN,ou=DE,dc=emea,dc=company,dc=com" \ > -w "topsecret" \ > -b "ou=DE,dc=emea,company,dc=com" \ > -f sAMAccountName=%s > > But our AD structure looks like: > > emea.company.com >CH >CZ >DE >DK >ES >... > > > The script above should say "OK" if the user is valid in ou=DE or ou=CH or > ou=CZ or ... > > I guess I need an intelligent filter "-f" to do this. Any ideas? Should work by just moving up the base DN to "dc=emea,dc=company,dc=com". This will search in all the ou:s in the LDAP tree. To ensure there is no mistakes I would make the filter a little more explicit, only looking for user objects. Unfortunately I do not remember the objectClass used in AD for normal users... but it will work either way (just that without this it is technically possible to log on using a workstation account or similar provided you can guess the password..) Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] squid_ldap_auth Novell and a ERR Success message...
> Has anybody come across this problem of getting Squid_ldap_auth to get > users off of a NDS ldap server? ldapsearch can connect to it fine, and I > can see the users, but when I use it to auth with squid. It gives me a > ERR Success message. Also, do you know where or how I can turn the logs > on to see what is going on with this? The squid_ldap_auth has a -d for > debug but it does nothing that I can see. > http://www.squid-cache.org/mail-archive/squid-users/200306/0835.html (e.g.) M.
Re: [squid-users] SQUID_LDAP_AUTH
On Fri, 13 Jan 2006, Meyerovich Aleksandr EB_NY wrote: Anybody could help with squid_ldap_auth usage examples? There is several in the man page. Say, I'd like to athenticate users belogning to the group Internet in DC=domain, DC=com, OU=Users (Microsoft AD) Then you probably should combine squid_ldap_auth and squid_ldap_group. squid_ldap_auth for authentication. squid_ldap_group for verifying group memberships. If there is only a single group you want to look for then it is possible to do it all with squid_ldap_auth by a carefully constructed search filter thanks to AD storing the group memberships within the user objects as well as the group, but I recommend keeping the functions separate. Regards Henrik
Re: [squid-users] squid_ldap_auth and Windows 2003 AD
Hi, At 16.32 10/11/2005, Colin Farley wrote: Thanks for the reply. I had a look at the article and I don't think that it explains my situation. My squid_ldap_auth command points to a squid user and supplies a password so I am not doing anonymous searches. I think the fact that it works when a specify an OU means that it's not an authentication problem but rather a search restriction. Any thoughts are appreciated. This SHOULD BE the solution to your problem, it fixed a my similar problem with LDAP authentication with Apache, so please try it. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] squid_ldap_auth and Windows 2003 AD
Thanks for the reply. I had a look at the article and I don't think that
it explains my situation. My squid_ldap_auth command points to a squid
user and supplies a password so I am not doing anonymous searches. I think
the fact that it works when a specify an OU means that it's not an
authentication problem but rather a search restriction. Any thoughts are
appreciated.
Thanks,
Colin
Serassio Guido
<[EMAIL PROTECTED]
cmeconsulting.it> To
Colin Farley
11/10/2005 01:35 <[EMAIL PROTECTED]>,
AMsquid-users@squid-cache.org
cc
Subject
Re: [squid-users] squid_ldap_auth
and Windows 2003 AD
Hi,
At 22.25 09/11/2005, Colin Farley wrote:
>So, it seems that Windows 2003 domain
>controllers have added security that stops searches beginning from the
base
>of the domain and searches must start within an ou. Has anyone
encountered
>this? Are there any fixes that anyone is aware of? Any help is greatly
>appreciated.
Correct, look here:
http://support.microsoft.com/default.aspx?scid=326690
Regards
Guido
-
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: [EMAIL PROTECTED]
WWW: http://www.acmeconsulting.it/
Re: [squid-users] squid_ldap_auth and Windows 2003 AD
Hi, At 22.25 09/11/2005, Colin Farley wrote: So, it seems that Windows 2003 domain controllers have added security that stops searches beginning from the base of the domain and searches must start within an ou. Has anyone encountered this? Are there any fixes that anyone is aware of? Any help is greatly appreciated. Correct, look here: http://support.microsoft.com/default.aspx?scid=326690 Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] squid_ldap_auth from shell [SOLVED]
Brilliant, works like a charm. Thanks Henrik! John --- On Sat 10/22, Henrik Nordstrom < [EMAIL PROTECTED] > wrote: From: Henrik Nordstrom [mailto: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Date: Sat, 22 Oct 2005 10:15:53 +0200 (CEST) Subject: Re: [squid-users] squid_ldap_auth from shell On Fri, 21 Oct 2005, John Halfpenny wrote:> My basic authenticator works fine, in the form>> /usr/lib/squid/squid_ldap_auth -b "ou=Users,dc=my,dc=domain"> myname mypassword> OKOk.> I have noticed that my LDAP group doesn't have a 'member' attribute, but it does have 'memberUid'. On my LDAPBrowser I can query like this with the desired group as the result:>> (&(objectclass=posixGroup)(cn=mygroup)(memberUid=myname))Ok.> If I put someone elses name in who isn't a member of mygroup then nothing is returned. However, creating the following command string gives me errors!>> /usr/lib/squid/squid_ldap_group -b "ou=Groups,dc=my,dc=domain" -f "(&(objectclass=posixGroup)(cn=%a)(memberUid=%v))" -B "ou=Users,dc=my,dc=domain" -F "uid=%s"> myname mygroup> ERRYou should not specify -B or -F as your membership is not based on the LDAP DN of the user like it is done in most LDAP trees, only the login.And I'd recommend using the much clearer %g/%u codes rather than the now obsolete %a/%v ones...Try the following:/usr/lib/squid/squid_ldap_group -b "ou=Groups,dc=my,dc=domain" -f "(&(objectclass=posixGroup)(cn=%g)(memberUid=%u))"RegardsHenrik ___ Join Excite! - http://www.excite.com The most personalized portal on the Web!
Re: [squid-users] squid_ldap_auth from shell
On Fri, 21 Oct 2005, John Halfpenny wrote: My basic authenticator works fine, in the form /usr/lib/squid/squid_ldap_auth -b "ou=Users,dc=my,dc=domain" myname mypassword OK Ok. I have noticed that my LDAP group doesn't have a 'member' attribute, but it does have 'memberUid'. On my LDAPBrowser I can query like this with the desired group as the result: (&(objectclass=posixGroup)(cn=mygroup)(memberUid=myname)) Ok. If I put someone elses name in who isn't a member of mygroup then nothing is returned. However, creating the following command string gives me errors! /usr/lib/squid/squid_ldap_group -b "ou=Groups,dc=my,dc=domain" -f "(&(objectclass=posixGroup)(cn=%a)(memberUid=%v))" -B "ou=Users,dc=my,dc=domain" -F "uid=%s" myname mygroup ERR You should not specify -B or -F as your membership is not based on the LDAP DN of the user like it is done in most LDAP trees, only the login. And I'd recommend using the much clearer %g/%u codes rather than the now obsolete %a/%v ones... Try the following: /usr/lib/squid/squid_ldap_group -b "ou=Groups,dc=my,dc=domain" -f "(&(objectclass=posixGroup)(cn=%g)(memberUid=%u))" Regards Henrik
Re: [squid-users] squid_ldap_auth compilation with ssl
On Sat, 6 Aug 2005, c.s.r.c.murthy wrote: Dears all, Has anybody tried and successful in compiling squid_ldap_auth with option "-DNETSCAPE_SSL" ?. When I do it, I get following errors Do you have the Netscape LDAP API? Have you told the compiler where to find this API libraries and headers? Most people is using the OpenLDAP LDAP API for which this flag SHOULD NOT be specified. Instead it automatically detects SSL support if your OpenLDAP API is supporting SSL. Regards Henrik
Re: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server" (Solved!!)
I have checked the nsswitch.conf and hosts are in the same order. Yes I am able to ping the ADS servers with their FQDN when the DNS is down but not to any other PCs Regards Babs --- it clown <[EMAIL PROTECTED]> wrote: > look at your nsswitch.conf. > > hosts: files dns > > If you add that to nsswitch.conf it will first look > at your > /etc/hosts file and then dns. Make sure you have > your AD pc > in /etc/hosts. > > to be able to connect to AD you need dns to resolv > its > name. Can you ping any pc on network with its FQDN > when dns > is down? > > On Sat, 23 Apr 2005 08:26:06 -0700 (PDT) > Babs <[EMAIL PROTECTED]> wrote: > > Interestingly Henrik , I have added those ADS > servers > > IPs in /etc/hosts when i setup the proxy and still > I > > dont know why this happend. Anything you want me > to > > check it up? > > > > Regards > > Babs > > > > --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > On Thu, 21 Apr 2005, Babs wrote: > > > > > > > Hi > > > > As the linuxbox access the Win2K box running > ADS > > > for > > > > getting the user authenticated using > > > squid_ldap_auth, > > > > when the machine running DNS goes down > linuxbox is > > > > not able to reach the Win2K box running ADS I > > > suppose. > > > > As soon as the DNS system came back to life > > > > authentication is working fine. Anyone can > tell me > > > > more why this happens? > > > > > > squid_ldap_auth needs to be able to find the IP > > > address from your ADS > > > server name in order to connect to it.. > > > > > > You can work around this by adding the ADS > server to > > > your local /etc/hosts > > > file. > > > > > > Regards > > > Henrik > > > > > > > > > > > > > __ > > Do you Yahoo!? > > Yahoo! Small Business - Try our new resources > site! > > http://smallbusiness.yahoo.com/resources/ > > _ > For super low premiums, click here > http://www.dialdirect.co.za/quote > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server" (Solved!!)
On Sat, 23 Apr 2005, Babs wrote: Interestingly Henrik , I have added those ADS servers IPs in /etc/hosts when i setup the proxy and still I dont know why this happend. Anything you want me to check it up? next time, check if you can reach the ADS servers using ldapsearch. Regards Henrik
Re: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server" (Solved!!)
look at your nsswitch.conf. hosts: files dns If you add that to nsswitch.conf it will first look at your /etc/hosts file and then dns. Make sure you have your AD pc in /etc/hosts. to be able to connect to AD you need dns to resolv its name. Can you ping any pc on network with its FQDN when dns is down? On Sat, 23 Apr 2005 08:26:06 -0700 (PDT) Babs <[EMAIL PROTECTED]> wrote: > Interestingly Henrik , I have added those ADS servers > IPs in /etc/hosts when i setup the proxy and still I > dont know why this happend. Anything you want me to > check it up? > > Regards > Babs > > --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > > > > > > > On Thu, 21 Apr 2005, Babs wrote: > > > > > Hi > > > As the linuxbox access the Win2K box running ADS > > for > > > getting the user authenticated using > > squid_ldap_auth, > > > when the machine running DNS goes down linuxbox is > > > not able to reach the Win2K box running ADS I > > suppose. > > > As soon as the DNS system came back to life > > > authentication is working fine. Anyone can tell me > > > more why this happens? > > > > squid_ldap_auth needs to be able to find the IP > > address from your ADS > > server name in order to connect to it.. > > > > You can work around this by adding the ADS server to > > your local /etc/hosts > > file. > > > > Regards > > Henrik > > > > > > > __ > Do you Yahoo!? > Yahoo! Small Business - Try our new resources site! > http://smallbusiness.yahoo.com/resources/ _ For super low premiums, click here http://www.dialdirect.co.za/quote
Re: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server" (Solved!!)
Okei Thats looks to be the reason for this auth failure. Thanks a lot for this info Micheal. thanx & regards Babs --- Michael Wray <[EMAIL PROTECTED]> wrote: > That's because the authenticators need to verify > WHERE to authenticate via > dns...so the look for the special SRV entries that > AD has for _kerberos and > _ldap, if he can't get a response on those entries, > then it is assumed that > they are unreachable. > > On Thursday 21 April 2005 10:21 am, Babs wrote: > > Hi > > As the linuxbox access the Win2K box running ADS > for > > getting the user authenticated using > squid_ldap_auth, > > when the machine running DNS goes down linuxbox is > > not able to reach the Win2K box running ADS I > suppose. > > As soon as the DNS system came back to life > > authentication is working fine. Anyone can tell me > > more why this happens? > > Thanx & regards > > Babs > > > > --- greylake <[EMAIL PROTECTED]> wrote: > > > What exactly did you have to do with your DNS ? > > > > > > On Mon, 2005-04-18 at 19:16, Babs wrote: > > > > Hi All! > > > > At last I found out whats causing this > trouble. It > > > > > > is > > > > > > > my DNS was causing this whole problem. If you > get > > > > > > this > > > > > > > error make sure your DNS is working properly. > Even > > > > though I had specified the servers in hosts > file > > > > > > still > > > > > > > somehow it was using my DNS which was pointing > > > > > > outside > > > > > > > my network. I thought this reply will help > someone > > > > > > who > > > > > > > may get the same problem > > > > > > > > Thanx all of you there > > > > regards > > > > Babs > > > > > > > > --- Babs <[EMAIL PROTECTED]> wrote: > > > > > Hi > > > > > I am facing the same problem once again, the > > > > > authentication from the browser appears > > > > > > repeatedly > > > > > > > > and > > > > > gives a authentication error. cache.log > reports > > > > > "Squid_Ldap_Auth error: Cant Contact LDAP > > > > > > Server". > > > > > > > > This time I made sure things are fine with > Msbox > > > > > > and > > > > > > > > with a nmap, I could see the ldap ports in > msbox > > > > > > and > > > > > > > > a > > > > > netstat shows me a connection established to > > > > > > msbox > > > > > > > > ldap port. Also I could successfully telnet > into > > > > > > the > > > > > > > > msbox ldap port from squid box. Also I could > use > > > > > ldapsearch tool without any trouble. > > > > > As previously Marc suggested to telnet msbox > 445 > > > > > port > > > > > is working without any problem. I restarted > my > > > > > > msbox > > > > > > > > like the previously but this time I am > still > > > > > getting > > > > > the same error. > > > > > > > > > > Anyone can give me some idea what might be > the > > > > > problem? > > > > > Thanx in advance > > > > > Babs > > > > > > > > __ > > > > Do you Yahoo!? > > > > Plan great trips with Yahoo! Travel: Now over > > > > > > 17,000 guides! > > > > > > > http://travel.yahoo.com/p-travelguide > > > > __ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > -- > Michael Wray > AimConnect, an S4F Inc. Company > 918.524.1010 ext 106 > [EMAIL PROTECTED] > http://www.aimconnect.com > > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server" (Solved!!)
Interestingly Henrik , I have added those ADS servers IPs in /etc/hosts when i setup the proxy and still I dont know why this happend. Anything you want me to check it up? Regards Babs --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > > > On Thu, 21 Apr 2005, Babs wrote: > > > Hi > > As the linuxbox access the Win2K box running ADS > for > > getting the user authenticated using > squid_ldap_auth, > > when the machine running DNS goes down linuxbox is > > not able to reach the Win2K box running ADS I > suppose. > > As soon as the DNS system came back to life > > authentication is working fine. Anyone can tell me > > more why this happens? > > squid_ldap_auth needs to be able to find the IP > address from your ADS > server name in order to connect to it.. > > You can work around this by adding the ADS server to > your local /etc/hosts > file. > > Regards > Henrik > __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
RE: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server" (Solved!!)
On Thu, 21 Apr 2005, Babs wrote: Hi As the linuxbox access the Win2K box running ADS for getting the user authenticated using squid_ldap_auth, when the machine running DNS goes down linuxbox is not able to reach the Win2K box running ADS I suppose. As soon as the DNS system came back to life authentication is working fine. Anyone can tell me more why this happens? squid_ldap_auth needs to be able to find the IP address from your ADS server name in order to connect to it.. You can work around this by adding the ADS server to your local /etc/hosts file. Regards Henrik
Re: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server" (Solved!!)
That's because the authenticators need to verify WHERE to authenticate via dns...so the look for the special SRV entries that AD has for _kerberos and _ldap, if he can't get a response on those entries, then it is assumed that they are unreachable. On Thursday 21 April 2005 10:21 am, Babs wrote: > Hi > As the linuxbox access the Win2K box running ADS for > getting the user authenticated using squid_ldap_auth, > when the machine running DNS goes down linuxbox is > not able to reach the Win2K box running ADS I suppose. > As soon as the DNS system came back to life > authentication is working fine. Anyone can tell me > more why this happens? > Thanx & regards > Babs > > --- greylake <[EMAIL PROTECTED]> wrote: > > What exactly did you have to do with your DNS ? > > > > On Mon, 2005-04-18 at 19:16, Babs wrote: > > > Hi All! > > > At last I found out whats causing this trouble. It > > > > is > > > > > my DNS was causing this whole problem. If you get > > > > this > > > > > error make sure your DNS is working properly. Even > > > though I had specified the servers in hosts file > > > > still > > > > > somehow it was using my DNS which was pointing > > > > outside > > > > > my network. I thought this reply will help someone > > > > who > > > > > may get the same problem > > > > > > Thanx all of you there > > > regards > > > Babs > > > > > > --- Babs <[EMAIL PROTECTED]> wrote: > > > > Hi > > > > I am facing the same problem once again, the > > > > authentication from the browser appears > > > > repeatedly > > > > > > and > > > > gives a authentication error. cache.log reports > > > > "Squid_Ldap_Auth error: Cant Contact LDAP > > > > Server". > > > > > > This time I made sure things are fine with Msbox > > > > and > > > > > > with a nmap, I could see the ldap ports in msbox > > > > and > > > > > > a > > > > netstat shows me a connection established to > > > > msbox > > > > > > ldap port. Also I could successfully telnet into > > > > the > > > > > > msbox ldap port from squid box. Also I could use > > > > ldapsearch tool without any trouble. > > > > As previously Marc suggested to telnet msbox 445 > > > > port > > > > is working without any problem. I restarted my > > > > msbox > > > > > > like the previously but this time I am still > > > > getting > > > > the same error. > > > > > > > > Anyone can give me some idea what might be the > > > > problem? > > > > Thanx in advance > > > > Babs > > > > > > __ > > > Do you Yahoo!? > > > Plan great trips with Yahoo! Travel: Now over > > > > 17,000 guides! > > > > > http://travel.yahoo.com/p-travelguide > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com -- Michael Wray AimConnect, an S4F Inc. Company 918.524.1010 ext 106 [EMAIL PROTECTED] http://www.aimconnect.com
RE: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server" (Solved!!)
Hi As the linuxbox access the Win2K box running ADS for getting the user authenticated using squid_ldap_auth, when the machine running DNS goes down linuxbox is not able to reach the Win2K box running ADS I suppose. As soon as the DNS system came back to life authentication is working fine. Anyone can tell me more why this happens? Thanx & regards Babs --- greylake <[EMAIL PROTECTED]> wrote: > What exactly did you have to do with your DNS ? > > > On Mon, 2005-04-18 at 19:16, Babs wrote: > > Hi All! > > At last I found out whats causing this trouble. It > is > > my DNS was causing this whole problem. If you get > this > > error make sure your DNS is working properly. Even > > though I had specified the servers in hosts file > still > > somehow it was using my DNS which was pointing > outside > > my network. I thought this reply will help someone > who > > may get the same problem > > > > Thanx all of you there > > regards > > Babs > > > > --- Babs <[EMAIL PROTECTED]> wrote: > > > > > Hi > > > I am facing the same problem once again, the > > > authentication from the browser appears > repeatedly > > > and > > > gives a authentication error. cache.log reports > > > "Squid_Ldap_Auth error: Cant Contact LDAP > Server". > > > This time I made sure things are fine with Msbox > and > > > with a nmap, I could see the ldap ports in msbox > and > > > a > > > netstat shows me a connection established to > msbox > > > ldap port. Also I could successfully telnet into > the > > > msbox ldap port from squid box. Also I could use > > > ldapsearch tool without any trouble. > > > As previously Marc suggested to telnet msbox 445 > > > port > > > is working without any problem. I restarted my > msbox > > > like the previously but this time I am still > > > getting > > > the same error. > > > > > > Anyone can give me some idea what might be the > > > problem? > > > Thanx in advance > > > Babs > > > > > > > > > > > > > > > > > > > > > > __ > > Do you Yahoo!? > > Plan great trips with Yahoo! Travel: Now over > 17,000 guides! > > http://travel.yahoo.com/p-travelguide > > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server" (Solved!!)
Hi All! At last I found out whats causing this trouble. It is my DNS was causing this whole problem. If you get this error make sure your DNS is working properly. Even though I had specified the servers in hosts file still somehow it was using my DNS which was pointing outside my network. I thought this reply will help someone who may get the same problem Thanx all of you there regards Babs --- Babs <[EMAIL PROTECTED]> wrote: > Hi > I am facing the same problem once again, the > authentication from the browser appears repeatedly > and > gives a authentication error. cache.log reports > "Squid_Ldap_Auth error: Cant Contact LDAP Server". > This time I made sure things are fine with Msbox and > with a nmap, I could see the ldap ports in msbox and > a > netstat shows me a connection established to msbox > ldap port. Also I could successfully telnet into the > msbox ldap port from squid box. Also I could use > ldapsearch tool without any trouble. > As previously Marc suggested to telnet msbox 445 > port > is working without any problem. I restarted my msbox > like the previously but this time I am still > getting > the same error. > > Anyone can give me some idea what might be the > problem? > Thanx in advance > Babs > > > > __ Do you Yahoo!? Plan great trips with Yahoo! Travel: Now over 17,000 guides! http://travel.yahoo.com/p-travelguide
RE: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server"
Hi I am facing the same problem once again, the authentication from the browser appears repeatedly and gives a authentication error. cache.log reports "Squid_Ldap_Auth error: Cant Contact LDAP Server". This time I made sure things are fine with Msbox and with a nmap, I could see the ldap ports in msbox and a netstat shows me a connection established to msbox ldap port. Also I could successfully telnet into the msbox ldap port from squid box. Also I could use ldapsearch tool without any trouble. As previously Marc suggested to telnet msbox 445 port is working without any problem. I restarted my msbox like the previously but this time I am still getting the same error. Anyone can give me some idea what might be the problem? Thanx in advance Babs __ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail
Re: [squid-users] squid_ldap_auth and TLS
On Wed, 13 Apr 2005 [EMAIL PROTECTED] wrote: Everything is working fine without SSL encryption. Good. Now i want to aktivate the TLS option for the squid_ldap_auth. When i add the option -Z ( and -v 3 ) i will reveive the message "Could not Activate TLS connection". TLS is working with our LDAP-Server, because another system is working with TLS. Does ldapsearch and friends work in TLS mode? Are you sure it is TLS you want to use and not LDAP over SSL? (ldaps://) Regards Henrik
RE: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server"
> Yup I did that and I am able telnet to the MS-ADS port > in the server. > I ran a nmap and I could see the ports listed on the > MS box. I rebooted the ms-box and It looks be this are > fine so I am suspecting the ms-box doing something > fishy, but I am getting nervous again as I got around > 50 users at anytime in the day > So I am curious if anyone else faced the same problem > Thanx for ur suggestion and I would like to know if U > want me to do anything else to look for? > So, I understand things were fine after reboot of the MS-AD server. If problems occur again , you can also : MS-AD:\>netstat -a -p TCP Check whether the AD service is still listening on the intended port. M.
RE: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server"
> > > > - Check whether the LDAP server is running on the > MS-AD box. >* Check eventvwr , watchout for system or app. > errors. > > - Verify further by contacting the LDAP server > manually from the squid box. >squidhost % telnet ms-ads_host 443 > >Should at least establish a connection. > >M. > Yup I did that and I am able telnet to the MS-ADS port in the server. I ran a nmap and I could see the ports listed on the MS box. I rebooted the ms-box and It looks be this are fine so I am suspecting the ms-box doing something fishy, but I am getting nervous again as I got around 50 users at anytime in the day So I am curious if anyone else faced the same problem Thanx for ur suggestion and I would like to know if U want me to do anything else to look for? Thanx & regards Babs __ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail
RE: [squid-users] Squid_Ldap_Auth error "Cant Contact LDAP Server"
> > Hello > I am having a squid proxy running with ldap > authentication from MS-ADS. It was working fine till > now but today morning onwards its giving me a strange > problem. > in cache.log I could see :- squid_ldap_auth WARNING, > Ldap Serch Error 'Cant Contact LDAP Server' > > I have checked everything as nothing has been changed > in previous days. Now when I try to use > squid_ldap_auth from the command line its giving me > the same error. > Now pls let me know what is going wrong > I have done some googling but it didnt helped me much > - Check whether the LDAP server is running on the MS-AD box. * Check eventvwr , watchout for system or app. errors. - Verify further by contacting the LDAP server manually from the squid box. squidhost % telnet ms-ads_host 443 Should at least establish a connection. M.
RE: Re: [squid-users] squid_ldap_auth or squid_ldapauth supports MD5 ?
>
>
>
>
> squid_ldap_auth supports whatever passwords encryption schemes supported
> by your LDAP server, using either ldap_simple_bind to bind to the user
> object in the LDAP tree or ldap_compare to compare the selected password
> attribute with the user supplied password. In both operations it is the
> LDAP server which determines if the password is valid or not.
>
>
on my server only works if i have a Crypt (DES) password.
I add a test user with password test:
MD5:
# squid_ldapauth -v -q -l
squid_ldapauth[3656]: config - found key: 'ldap-server'
squid_ldapauth[3656]: config - got value: '192.168.1.146'
squid_ldapauth[3656]: config - found key: 'ldap-port'
squid_ldapauth[3656]: config - got value: '389'
squid_ldapauth[3656]: config - found key: 'ldap-suffix'
squid_ldapauth[3656]: config - got value: 'o=unipost'
squid_ldapauth[3656]: config - found key: 'ldap-filter'
squid_ldapauth[3656]: config - got value: '(uid=%s)'
squid_ldapauth[3656]: config - found key: 'ldap-passwdfield'
squid_ldapauth[3656]: config - got value: 'userPassword'
squid_ldapauth[3656]: using ldap-server => '192.168.1.146'
squid_ldapauth[3656]: using ldap-port => '389'
squid_ldapauth[3656]: using ldap-suffix => 'o=unipost'
squid_ldapauth[3656]: using ldap-filter => '(uid=%s)'
squid_ldapauth[3656]: using ldap-passwdfield => 'userPassword'
squid_ldapauth[3656]: using ldap-binddn => ''
squid_ldapauth[3656]: using ldap-password => ''
squid_ldapauth[3656]: connection etablished - waiting for queries
test test
squid_ldapauth[3656]: ldap vals[0]= '{MD5}CY9rzUYh03PK3k6DJie09g=='
squid_ldapauth[3656]: authentication request for 'test' - ERR
ERR
^C
Now i change the pass to Crypt (DES):
# squid_ldapauth -v -q -l
squid_ldapauth[3657]: config - found key: 'ldap-server'
squid_ldapauth[3657]: config - got value: '192.168.1.146'
squid_ldapauth[3657]: config - found key: 'ldap-port'
squid_ldapauth[3657]: config - got value: '389'
squid_ldapauth[3657]: config - found key: 'ldap-suffix'
squid_ldapauth[3657]: config - got value: 'o=unipost'
squid_ldapauth[3657]: config - found key: 'ldap-filter'
squid_ldapauth[3657]: config - got value: '(uid=%s)'
squid_ldapauth[3657]: config - found key: 'ldap-passwdfield'
squid_ldapauth[3657]: config - got value: 'userPassword'
squid_ldapauth[3657]: using ldap-server => '192.168.1.146'
squid_ldapauth[3657]: using ldap-port => '389'
squid_ldapauth[3657]: using ldap-suffix => 'o=unipost'
squid_ldapauth[3657]: using ldap-filter => '(uid=%s)'
squid_ldapauth[3657]: using ldap-passwdfield => 'userPassword'
squid_ldapauth[3657]: using ldap-binddn => ''
squid_ldapauth[3657]: using ldap-password => ''
squid_ldapauth[3657]: connection etablished - waiting for queries
test test
squid_ldapauth[3657]: ldap vals[0]= '{CRYPT}IDV1FVNqCpls2'
squid_ldapauth[3657]: authentication request for 'test' - OK
OK
why not works with MD5?
thanks
Joan Ramos Ramos
Dpto. Informática
Tel.: +34 932 232 552 (Ext. 260)
Fax.: +34 932 230 151
Este mensaje es confidencial y atañe exclusivamente a las personas a las que va
dirigido.
Cualquier opinión en el contenida, es exclusivo de su autor y no representa
necesariamente
la opinion de UNIPOST, S.A.
Si Ud. no es el destinatario del mensaje, considerese advertido que lo ha
recibido por error
y que cualquier difusión o copia estan terminantemente prohibidos. Si ha
recibido por error,
por favor comuniquelo a UNIPOST, S.A. al número +34 93 223 25 52 o correo
electrónico
a <[EMAIL PROTECTED]>.
This e-mail is confidential and intended solely for the use of the individual
to whom it is addressed.
Any opinions presented are solely those of the author and do not necessarily
represent those of
UNIPOST, S.A.
If you are not the intended recipient, be advised that you have received this
e-mail in error and that
dissemination, forwarding or copying of this e-mail is strictly prohibited. If
you have received this
e-mail in error please notify it to UNIPOST, S.A. by telephone on number +34 93
223 25 52 or by
e-mail to <[EMAIL PROTECTED]>.
Re: [squid-users] squid_ldap_auth or squid_ldapauth supports MD5 ?
On Fri, 14 Jan 2005, Joan Ramos Ramos wrote: hi, i'm trying to configure squid ( Suse 9.2 squid-2.5.STABLE6-6) with ldap authentification, all users in my ldap database are with md5 password encryption. squid_ldap_auth or squid_ldapauth supports MD5 ? squid_ldap_auth supports whatever passwords encryption schemes supported by your LDAP server, using either ldap_simple_bind to bind to the user object in the LDAP tree or ldap_compare to compare the selected password attribute with the user supplied password. In both operations it is the LDAP server which determines if the password is valid or not. It would not be hard to write another ldap helper which manually compares a "UNIX-style" password attribute, similar to how ncsa_auth works on plain-text files. Regards Henrik
Re: [squid-users] squid_ldap_auth single signon
On Mon, 2005-01-03 at 13:13 +0300, [EMAIL PROTECTED] wrote: > Hi; > > can I use single sigon authentication thru my ldap server for squid users > instead of getting the prompt to authenticate. clients are using WinXP pro. Not unless you're willing to spend some time writing glue code (essentially an NTLM authenticator) AND your users make sure that the passwords in the LDAP database and in AD are in sync. Kinkie
Re: [squid-users] squid_ldap_auth issues
On Thu, 2 Dec 2004, Ron Bettle wrote: ok lemme start by saying that i have read and searched the archives but i still cant figure this out ;-). what im trying to do is reproduce the old smb_auth functionality with the 'new' active directory LDAP. unfortunately i have no control over the LDAP nor do i really understand LDAP that well, but im learning ;-). ok here is what i have so far. after much reading and searching through the archives i have come up with the following. /usr/lib/squid/squid_ldap_auth -b "cn=nameofmydc,ou=domain controllers,dc=mydomain,dc=net" This should just be your domain dc=mydomain,dc=net -D "cn=Bettle\, Ron,ou=Users,ou=SOS,ou=Facilities,dc=mydomain,dc=net" -w mypassword -f "(&(CN=%u)(objectClass=person))" -H ip.of.my.dc Most want to use samAccountName or similar for the login, not the "common/full name". Regards Henrik
Re: [squid-users] ./squid_ldap_auth command says "bash: ./squid_ldap_auth: No such file or directory"
On Mon, 2004-12-06 at 09:29, Yong Bong Fong wrote: > Dear all, > >I was trying to test my squid_ldap_auth from the terminal as shown > > *As seen above, it responded with "bash: ./squid_ldap_auth:no such file > or directory" Works for me :-) Either you're doing something wrong or... try an strace of it?? ./squid_ldap_auth Usage: squid_ldap_auth -b basedn [options] [ldap_server_name[:port]]... -b basedn (REQUIRED)base dn under which to search -f filter search filter to locate user DN -u userattr username DN attribute -s base|one|sub search scope -D binddn DN to bind as to perform searches -w bindpasswd password for binddn -W secretfile read password for binddn from file secretfile -H URI LDAPURI (defaults to ldap://localhost) -h server LDAP server (defaults to localhost) -p port LDAP server port -P persistent LDAP connection -c timeout connect timeout -t timelimitsearch time limit -R do not follow referrals -a never|always|search|find when to dereference aliases -v 2|3 LDAP version -Z TLS encrypt the LDAP connection, requires LDAP version 3 If no search filter is specified, then the dn =user,basedn will be used (same as specifying a search filter of '=', but quicker as as there is no need to search for the user DN) If you need to bind as a user to perform searches then use the -D binddn -w bindpasswd or -D binddn -W secretfile options
Re: [squid-users] squid_ldap_auth from command line do nothing ...and display no further prompt from terminal
On Mon, 2004-12-06 at 14:56, Yong Bong Fong wrote: > Hello All, > >When I typed my squid_ldap_auth command as shown below, it always do > nothing. \ What happens if you just type the command w/o any other options? > Other people seems to get a follow-up response of a prompt for > username and password from the machine, and then further prompting an > error or ok message back to user. > But my command seems to just stuck there without further progress, see > below: > > [EMAIL PROTECTED] root]# /usr/lib/squid/squid_ldap_auth -b dc=shinyang, > dc=com, > dc=my -D cn=root,dc=shinyang,dc=com,dc=my -w -f > '(&(objectclass=person)(cn=%s))' -h 172.16.0.21 > (it just stops there and do nothing) > > *where should I track down the problem for this? > > Thanks in advance > > Regards > Yong > > > > > > > > -- Ow Mun Heng Gentoo/Linux on D600 1.4Ghz Neuromancer 17:21:40 up 8:02, 4 users, 0.70, 0.53, 0.44
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
On Tue, 19 Oct 2004, Mark Krawec wrote: I'll try anything to avoid going back to basic authentication (NCSA). What patches and where can I find them? Should I open a bug first? You should open a bug. Once you have opened a bug report I'll attach the squid_ldap_auth patch there for you to try. Regards Henrik
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
I'll try anything to avoid going back to basic authentication (NCSA). What patches and where can I find them? Should I open a bug first? Mark On Tue, 19 Oct 2004 20:44:26 +0200 (CEST), Henrik Nordstrom wrote > On Tue, 19 Oct 2004, Mark Krawec wrote: > > > I don't think our server supports TLS as ldapsearch fails as well. > > Basic authentication (clear text) or ssl are my options and both of > > those work for ldapsearch. Unfortunately I haven't been able to get > > either option to work for squid_ldap_auth after the domain controller > > upgrade to 2003. Am I just out of luck or should I open a bug? > > You are welcome to open a bug. I have some patches you might want to > try. > > Regards > Henrik ___ Mark Krawec [EMAIL PROTECTED] "Earth First"(We'll strip mine the other planets later)
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
On Tue, 19 Oct 2004, Mark Krawec wrote: I don't think our server supports TLS as ldapsearch fails as well. Basic authentication (clear text) or ssl are my options and both of those work for ldapsearch. Unfortunately I haven't been able to get either option to work for squid_ldap_auth after the domain controller upgrade to 2003. Am I just out of luck or should I open a bug? You are welcome to open a bug. I have some patches you might want to try. Regards Henrik
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
I don't think our server supports TLS as ldapsearch fails as well. Basic authentication (clear text) or ssl are my options and both of those work for ldapsearch. Unfortunately I haven't been able to get either option to work for squid_ldap_auth after the domain controller upgrade to 2003. Am I just out of luck or should I open a bug? Mark On Tue, 19 Oct 2004 19:08:46 +0200 (CEST), Henrik Nordstrom wrote > On Tue, 19 Oct 2004, Mark Krawec wrote: > > > Thanks for being persistent but unfortunately I get the same error with > > version 3. Let me know if I should try anything else or if I should create a > > bug for this. Are there others that are using squid_ldap_auth to authenticate > > against a W2003 LDAP directory server? > > > echo "Squid1 password" | /usr/local/squid/libexec/squid_ldap_auth -v 3 -H > > ldaps://fddc02.scif.com:636/ -D "CN=Squid1 Proxy, OU=FD, OU=Fairfield, > > DC=scif, DC=com" -w "password" -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)" > > squid_ldap_auth: WARNING, LDAP search error 'Operations error' > > ERR > > Were you using ldaps in ldapsearch as well? > > Please note that ldaps:// != TLS. ldaps:// is LDAPv2 over SSL on > the ldaps port. > > Regards > Henrik ___ Mark Krawec [EMAIL PROTECTED] "Earth First"(We'll strip mine the other planets later)
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
On Tue, 19 Oct 2004, Mark Krawec wrote: Thanks for being persistent but unfortunately I get the same error with version 3. Let me know if I should try anything else or if I should create a bug for this. Are there others that are using squid_ldap_auth to authenticate against a W2003 LDAP directory server? If everything else fails use ethereal to compare the two searches. (note: won't work with ldaps or TLS due to the encryption..) Regards Henrik
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
On Tue, 19 Oct 2004, Mark Krawec wrote: Thanks for being persistent but unfortunately I get the same error with version 3. Let me know if I should try anything else or if I should create a bug for this. Are there others that are using squid_ldap_auth to authenticate against a W2003 LDAP directory server? echo "Squid1 password" | /usr/local/squid/libexec/squid_ldap_auth -v 3 -H ldaps://fddc02.scif.com:636/ -D "CN=Squid1 Proxy, OU=FD, OU=Fairfield, DC=scif, DC=com" -w "password" -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)" squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Were you using ldaps in ldapsearch as well? Please note that ldaps:// != TLS. ldaps:// is LDAPv2 over SSL on the ldaps port. Regards Henrik
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
Thanks for being persistent but unfortunately I get the same error with version 3. Let me know if I should try anything else or if I should create a bug for this. Are there others that are using squid_ldap_auth to authenticate against a W2003 LDAP directory server? echo "Squid1 password" | /usr/local/squid/libexec/squid_ldap_auth -v 3 -H ldaps://fddc02.scif.com:636/ -D "CN=Squid1 Proxy, OU=FD, OU=Fairfield, DC=scif, DC=com" -w "password" -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)" squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Thanks, Mark On Tue, 19 Oct 2004 18:09:07 +0200 (CEST), Henrik Nordstrom wrote > On Mon, 18 Oct 2004, Mark Krawec wrote: > > > I've tried to make sure I'm running the queries the same aside for syntax > > differences. Both queries worked before 2003 upgrade. Now only ldapsearch > > works correctly. > > One last idea, try using LDAP v3 (-v 3 option to squid_ldap_auth) > > Regards > Henrik ___ Mark Krawec [EMAIL PROTECTED] "Earth First"(We'll strip mine the other planets later)
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
On Mon, 18 Oct 2004, Mark Krawec wrote: I've tried to make sure I'm running the queries the same aside for syntax differences. Both queries worked before 2003 upgrade. Now only ldapsearch works correctly. One last idea, try using LDAP v3 (-v 3 option to squid_ldap_auth) Regards Henrik
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
And you are positively sure that ldapsearch -x using the exact same data works? Regards Henrik I've tried to make sure I'm running the queries the same aside for syntax differences. Both queries worked before 2003 upgrade. Now only ldapsearch works correctly. Successful ldapsearch query: ldapsearch -b "DC=scif, DC=com" -D "CN=Squid1 Proxy, OU=FD, OU=Fairfield, DC=scif, DC=com" -w "password" -H ldaps://fddc02.scif.com:636/ -S /usr/local/ssl/certs -x "(SamAccountName=Squid1)" cn version: 2 # # filter: (SamAccountName=Squid1) # requesting: cn # # Squid1 Proxy, FD, Fairfield, scif, com dn: CN=Squid1 Proxy,OU=FD,OU=Fairfield,DC=scif,DC=com cn: Squid1 Proxy squid_ldap_auth query fails: echo "Squid1 password" | /usr/local/squid/libexec/squid_ldap_auth -H ldaps://fddc02.scif.com:636/ -D "CN=Squid1 Proxy, OU=FD, OU=Fairfield, DC=scif, DC=com" -w "password" -P -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)" squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Thanks, Mark ___ Mark Krawec [EMAIL PROTECTED] "Earth First"(We'll strip mine the other planets later)
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
On Thu, 14 Oct 2004, Mark Krawec wrote: I tried it with the helper from 2.5.STABLE7 and get the same error: echo "Squid1 password" | /usr/local/squid/libexec/squid_ldap_auth -O -H ldaps://fddc02.scif.com:636/ -D "CN=Squid1 Proxy, OU=FD, OU=Fairfield, DC=scif, DC=com" -w "password" -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)" squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Let me know if you any other ideas or want me to run any more tests. And you are positively sure that ldapsearch -x using the exact same data works? Regards Henrik
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
I tried it with the helper from 2.5.STABLE7 and get the same error: echo "Squid1 password" | /usr/local/squid/libexec/squid_ldap_auth -O -H ldaps://fddc02.scif.com:636/ -D "CN=Squid1 Proxy, OU=FD, OU=Fairfield, DC=scif, DC=com" -w "password" -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)" squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Let me know if you any other ideas or want me to run any more tests. Thanks, Mark On Thu, 14 Oct 2004 23:36:55 +0200 (CEST), Henrik Nordstrom wrote > > Please try with the helper from 2.5.STABLE7. Not 100% sure how up to > date the 3.0 helper is at the moment (probably is, but just to be > sure..) > > Regards > Henrik ___ Mark Krawec [EMAIL PROTECTED] "Earth First"(We'll strip mine the other planets later)
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
On Thu, 14 Oct 2004, Mark Krawec wrote: I'm using the 3.0 helper so it was easy to try this with -O and I still get the error. Please try with the helper from 2.5.STABLE7. Not 100% sure how up to date the 3.0 helper is at the moment (probably is, but just to be sure..) Regards Henrik
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
I'm using the 3.0 helper so it was easy to try this with -O and I still get the error. I tried it with and without -P and it still throws an error. Am I the only person having this problem? To summarize Squid 2.5STABLE6 on RH7.3 using squid_ldap_auth to authenticate. I now get the error below when trying to authenticate after our domain controllers were upgraded to W2003. The same query worked against W2000 domain controllers. A similar ldapsearch query with the same settings works fine. echo "Squid1 password" | /usr/local/squid/libexec/squid_ldap_auth -O -H ldaps://fddc02.scif.com:636/ -D "CN=Squid1 Proxy, OU=FD, OU=Fairfield, DC=scif, DC=com" -w "password" -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)" squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Thanks again for the help, Mark On Thu, 14 Oct 2004 22:57:45 +0200 (CEST), Henrik Nordstrom wrote > You could try using the -O (once) option to squid_ldap_auth. (in a > previous message I said -1, meant -O). I know this was required to > operate properly with Novell NDS and I would not be supriced if it > is required in other directories as well. > > Squid-2.5.STABLE7 required as the option is fairly new. > > Regards > Henrik ___ Mark Krawec [EMAIL PROTECTED] "Earth First"(We'll strip mine the other planets later)
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
On Thu, 14 Oct 2004, Mark Krawec wrote: Any ideas on why squid_ldap_auth fails and ldapsearch succeeds? The same squid_ldap_auth query was working until our domain controllers were upgraded to 2003. You could try using the -O (once) option to squid_ldap_auth. (in a previous message I said -1, meant -O). I know this was required to operate properly with Novell NDS and I would not be supriced if it is required in other directories as well. Squid-2.5.STABLE7 required as the option is fairly new. Regards Henrik
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
I think I'm using a consistent search bind DN and still getting an error after the 2003 upgrade. Successful ldapsearch query: ldapsearch -b "DC=scif, DC=com" -D "CN=Squid1, OU=FD, OU=Fairfield, DC=scif, DC=com" -w "password" -H ldaps://fddc02.scif.com:636/ -S /usr/local/ssl/certs -x "(SamAccountName=Squid1)" cn version: 2 # # filter: (SamAccountName=Squid1) # requesting: cn # # Squid1 Proxy, FD, Fairfield, scif, com dn: CN=Squid1 Proxy,OU=FD,OU=Fairfield,DC=scif,DC=com cn: Squid1 Proxy squid_ldap_auth query fails: echo "Squid1 password" | /usr/local/squid/libexec/squid_ldap_auth -H ldaps://fddc02.scif.com:636/ -D "CN=Squid1, OU=FD, OU=Fairfield, DC=scif, DC=com" -w "password" -P -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)" squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Any ideas on why squid_ldap_auth fails and ldapsearch succeeds? The same squid_ldap_auth query was working until our domain controllers were upgraded to 2003. Thanks, Mark On Thu, 14 Oct 2004 10:12:43 +0200 (CEST), Henrik Nordstrom wrote > > The search bind DN is not correct, and does not match your > successful ldapsearch > > To be least confusing your should specify a LDAP DN in both. Relying > on the LDAP server to understand shorthand aliases like > [EMAIL PROTECTED] can be a little confusing. > > Regards > Henrik ___ Mark Krawec [EMAIL PROTECTED] "Earth First"(We'll strip mine the other planets later)
Re: [squid-users] squid_ldap_auth problem after W2003 upgrade
On Wed, 13 Oct 2004, Mark Krawec wrote: ldapsearch -D [EMAIL PROTECTED] -w password -b "DC=scif,DC=com" -H ldaps://fddc02.scif.com:636/ -S /usr/local/ssl/certs -x "(SamAccountName=Squid1)" cn version: 2 # # filter: (SamAccountName=Squid1) # requesting: cn # # Squid1 Proxy, FD, Fairfield, scif, com dn: CN=Squid1 Proxy,OU=FD,OU=Fairfield,DC=scif,DC=com cn: Squid1 Proxy echo "squid password" | /usr/local/squid/libexec/squid_ldap_auth -H ldaps://fddc02.scif.com:636/ -D "squid" -w "password" -P -b "DC=scif,DC=com" -f "(SamAccountName=Squid1)" squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR The search bind DN is not correct, and does not match your successful ldapsearch To be least confusing your should specify a LDAP DN in both. Relying on the LDAP server to understand shorthand aliases like [EMAIL PROTECTED] can be a little confusing. Regards Henrik
Re: [squid-users] Squid_ldap_auth multiple groups
On Tue, 10 Aug 2004, Tim Neto wrote: If you use "squid_ldap_auth" for group control, then why was "squid_ldap_group" created? squid_ldap_auth is for authentication, not authorization. In many LDAP directories the filter can specify groups restricting who may authenticate to the proxy. squid_ldap_group is for authorization only, to give different groups of authenticated users different privileges. If you do not need to specify different authorization for different groups and your directory allows direct filtering on group membership then there is no need for squid_ldap_group, only squid_ldap_auth. If you need to give different groups different privileges in the proxy then you must use squid_ldap_group in addition to squid_ldap_auth. Regards Henrik
Re: [squid-users] Squid_ldap_auth multiple groups
Question regarding this thread. Why not use "squid_ldap_group"? Here where I work, I use "squid_ldap_auth" for individual user authentication. I use "squid_ldap_group" as an external acl type. Like: external_acl_type ldap_group %LOGIN /path/squid_ldap_group -h ldap-host -p ### -P -b o=DN -F "uid=%s" -f "(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))" I then create an acl def like: acl proxy_groups external ldap_group proxy_subcompany_a proxy_subcompany_b proxy_subcompany_c proxy_headoffice or acl restricted_groups external ldap_group proxy_subcompany_a proxy_subcompany_b proxy_subcompany_c proxy_headoffice Finally a http_access def to use the group control, like: http_access allow our_networks proxy_groups If you use "squid_ldap_auth" for group control, then why was "squid_ldap_group" created? Tim --- Timothy E. Neto Computer Systems Engineer Komatsu Canada Limited Ph#: 905-625-6292 x2651725B Sismet Road Fax: 905-625-6348 Mississauga, Canada E-Mail: [EMAIL PROTECTED] L4W 1P9 --- Henrik Nordstrom wrote: On Tue, 10 Aug 2004, Stefan Thomas wrote: /usr/local/squid/libexec/squid_ldap_auth -b "" -D "cn=name,o=name" -w passwd -h ip-adr -f (&(&(cn=%s)(objectClass=person))(groupMembership=cn=Internet,ou=name,ou= name,o=name)) This works very well. No I have a new challenge to solve. I want to check is the authorised user in the group "internet" OR "marketing" OR "normal" OR ... He should be in one !! of these groups, not in all ! See RFC2254 & is AND | is OR (&(cn=%s)(objectClass=person)(|(groupMembership=cn=Internet,ou=name,ou=name,o=name)(groupMembership=cn=Marketing,ou...)(groupMembership=cn=Normal,ou..)(...))) But personally I would make the setup as follows 1. One single group which determines if the user should at all be allowed to use the Internet, if not all users should be allowed. This is optional. 2. A number of groups verified by squid_ldap_group for giving different levels of access to the Internet. Regards Henrik
Re: [squid-users] Squid_ldap_auth multiple groups
On Tue, 10 Aug 2004, Stefan Thomas wrote: /usr/local/squid/libexec/squid_ldap_auth -b "" -D "cn=name,o=name" -w passwd -h ip-adr -f (&(&(cn=%s)(objectClass=person))(groupMembership=cn=Internet,ou=name,ou= name,o=name)) This works very well. No I have a new challenge to solve. I want to check is the authorised user in the group "internet" OR "marketing" OR "normal" OR ... He should be in one !! of these groups, not in all ! See RFC2254 & is AND | is OR (&(cn=%s)(objectClass=person)(|(groupMembership=cn=Internet,ou=name,ou=name,o=name)(groupMembership=cn=Marketing,ou...)(groupMembership=cn=Normal,ou..)(...))) But personally I would make the setup as follows 1. One single group which determines if the user should at all be allowed to use the Internet, if not all users should be allowed. This is optional. 2. A number of groups verified by squid_ldap_group for giving different levels of access to the Internet. Regards Henrik
Re: [squid-users] squid_ldap_auth
Right. The LDAP Helpers update patch to 2.5.STABLE6 was quite broken. Should be fixed now (Bug #1018). Regards Henrik On Mon, 26 Jul 2004, Neil Wilson wrote: > I have tried using a non daily autogenerated realease, but a stable 2.5 > version and now I dont get the same problem. > > Thanks! > > Neil Wilson > DcData/LinuxBox S.A. > > - Original Message - > From: "Henrik Nordstrom" <[EMAIL PROTECTED]> > To: "Neil Wilson" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]>; "David Wilson" <[EMAIL PROTECTED]> > Sent: Monday, July 26, 2004 3:48 PM > Subject: Re: [squid-users] squid_ldap_auth > > > > On Mon, 26 Jul 2004, Neil Wilson wrote: > > > > > Error: > > > squid_ldap_auth: sasl.c:83: ldap_sasl_bind: Assertion `ld != ((void > *)0)' > > > failed. > > > > Wtf... squid_ldap_auth asks for a simple bind, not a sasl bind. Looks like > > the OpenLDAP version you are using is broken or they have changed the API > > in manners seriously incompatible with earlier versions or other LDAP > > libraries (which I doubt). > > > > Regards > > Henrik > > >
Re: [squid-users] squid_ldap_auth
On Mon, 26 Jul 2004, Neil Wilson wrote: > Error: > squid_ldap_auth: sasl.c:83: ldap_sasl_bind: Assertion `ld != ((void *)0)' > failed. Wtf... squid_ldap_auth asks for a simple bind, not a sasl bind. Looks like the OpenLDAP version you are using is broken or they have changed the API in manners seriously incompatible with earlier versions or other LDAP libraries (which I doubt). Regards Henrik
Re: [squid-users] squid_ldap_auth for two ldap servers
Use the following script.
What it will do is ,it will first go to the first LDAP server and verify
the Username/password .
If that LDAp server does not have this user then it will go to the next one
.
I use it and is working fantastic.
#!/usr/bin/perl
$|=1;
use IPC::Open2;
open2(*read1,*write1,"/usr/lib/squid/squid_ldap_auth ...full command with
parameters for LDAP server 1");
open2(*read3,*write3,"/usr/lib/squid/squid_ldap_auth full command with
parameters for LDAP server 2 ");
while(<>) {
print write1 $_;
$ans = ;
if( $ans =~ /^OK/) {
print $ans;
next; }
print write3 $_;
$ans = ;
if( $ans =~ /^OK/) {
print $ans;
next;
}
print $ans;
}
[EMAIL PROTECTED]
05/27/04 06:33 PM To
[EMAIL PROTECTED]
cc
Subject
[squid-users] squid_ldap_auth for
two ldap servers
Hello,
I'm working with squid 2.5 stable 5 and a LDAP authentication which works
great.
My problem is, that the squid_ldap_auth should work with 2 different LDAP
Servers. I know it's not possible yet, without changing the source code.
And there i do have some trouble.
There are two different LDAP Servers.
Persons with an uid which contains a number in it [0-9] should authenticate
on Server A.
Persons without a number in the uid should authenticate on Server B.
So i thought, i just check the uid for numbers in it. (right after the user
and passwd is collected by squid_ldap_auth) and change the server if
necessary.
I do open squid_ldap_auth with -b "basedn of Server A" â f ... ... Server A
My programm looks like that (haven't changed anything else), but doesn't
work. Since i am not really into C programming i hope to get some answers
here.
while (fgets(buf, 256, stdin) != NULL) {
user = strtok(buf, " \r\n");
passwd = strtok(NULL, "\r\n");
if (!user || !passwd || !passwd[0]) {
printf("ERR\n");
continue;
}
/* the part above (unchanged) collects the "user" and "passwd", right? */
/* my additional source code starts here */
char numbers[] = "0123456789"; /* just a definition of
the numbers I'm looking for */
char *helpvar;
helpvar=NULL;
helpvar=strpbrk(user, numbers);
/* search for numbers - if "user" contain numbers -> helpvar=adress of the
first number - if not helpvar stays NULL*/
for (;helpvar==NULL;) {
basedn="basedn of Server B";
ldapServer="Server B";
break;
}
/* since i allready defined basedn A and Server A with the opening of
squid_ldap_auth i don't need to change anything if helpvar!=NULL */
/* from now on again unchanged source code */
rfc1738_unescape(user);
rfc1738_unescape(passwd);
...
I know i shouldn't fix the Server B in the source code, but at first, it
should work, later i can try to implement a second basedn and server at the
start of the program (perhaps with -x basedn2 / -y server2)
I hope you could help me, otherwise we have to run 2 squid servers
simultaneously (which isn't wanted). A change to only one LDAP Server (with
every user on it) is out of question.
Thank you
~ Dominique
ForwardSourceID:NT6E92DISCLAIMER: The information contained in this message is intended only and solely for
the addressed individual or entity indicated in this message and for the exclusive use
of the said addressed individual or entity indicated in this message (or responsible
for delivery
of the message to such person) and may contain legally privileged and confidential
information belonging to Tata Consultancy Services. It must not be printed, read,
copied, disclosed, forwarded, distributed or used (in whatsoever manner) by any person
other than the
addressee. Unauthorized use, disclosure or copying is strictly prohibited and may
constitute unlawful act and can possibly attract legal action, civil and/or criminal.
The c
Re: [squid-users] squid_ldap_auth referral issue
Stefano Mason wrote: Some one can inform me where I'm wrong. NO one! squid_ldap_auth don't follow referral! May be! Version: squid-2.5.STABLE5 OS: Red Hat Linux release 9 squid_ldap_auth have useless -R parameter! With or without is the same! Thanks! Cheers. Stefano Test: [EMAIL PROTECTED] LDAP]$ ./squid_ldap_auth -b "o=t-systems,c=it" -f "uid=%s" ldap myworkroomtest1 livelink OK Issue (holly is another ldap with referral): [EMAIL PROTECTED] LDAP]$ ./squid_ldap_auth -b "o=t-systems,c=it" -f "uid=%s" holly myworkroomtest1 livelink squid_ldap_auth: WARNING, LDAP search error 'Referral' squid_ldap_auth: WARNING, LDAP search error 'Referral' ERR Same test with ldapsearch: [EMAIL PROTECTED] LDAP]$ ldapsearch -x -b "o=t-systems,c=it" -h holly uid=myworkroomtest1 version: 2 # # filter: uid=myworkroomtest1 # requesting: ALL # # search result search: 2 result: 10 Referral ref: ldap://ldap.debis.it:389/O%3dT-Systems,C%3dIT # numResponses: 1 (ldapsearch with -C parameter) [EMAIL PROTECTED] LDAP]$ ldapsearch -C -x -b "o=t-systems,c=it" -h holly uid=myworkroomtest1 version: 2 # # filter: uid=myworkroomtest1 # requesting: ALL # # myworkroomtest1, User, T-Systems, IT dn: CN=myworkroomtest1,OU=User,O=T-Systems,C=IT mail: [EMAIL PROTECTED] objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person objectclass: top sn: myworkroomtest1 uid: myworkroomtest1 ars: generale # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 squid_ldap_auth return 2 time the same error "squid_ldap_auth: WARNING, LDAP search error 'Referral'", is possible the second time don't use the new ldapurl/host? Many thanks in advance. Best regards. Stefano
Re: [squid-users] squid_ldap_auth and squid_ldapauth
On Tue, 20 Apr 2004, Vladimir Nikolic wrote: > I have SuSE 9.0 with squid-2.5.STABLE3-93 and I want to configure ldap > authentication with squid. When I test ldap connection with squid_ldap_auth: > squid_ldap_auth -b ou=people,dc=mycompany,dc=si server_ip > username password > OK > it works. Good, then use that in squid.conf. > but when I try with squid_ldap_auth (ldap-suffix = > ou=people,dc=mycompany,dc=si, ldap-passwdfield = > userpassword,ldap-filter = (uid=%s)...), I've got the answer: > ldap result was empty (user not found) What syntax is this? Regards Henrik
Re: [squid-users] Squid_Ldap_auth command line example
On Mon, 29 Mar 2004, Babs wrote: > I have Squid stable 2.54 compiled with Squid_ldap_Auth > and Squid_ldap_group ready, my Win2K ADS structure as > follows Under "mydomain.com" I have a OU called > "Test", under which I have a user called "testuser", > using Squid_ldap_auth how do I check the > authentication from > command line? I am looking for a example There is several ADS examples in the squid_ldap_auth manual. To test a basic auth helper from the command line just start it (with the correct options), then type usernamke password Regards Henrik
Re: [squid-users] Squid_ldap_auth against Active Directory (FTP - HTTP)
On Mon, 29 Mar 2004, Berg, Matthias wrote: > But we are differentiating with two groups. > > GG-WEB-HTTP has only WEB entrance. > > GG-WEB-FTPHTTP has FTP and WEB entrance. > > How can I realize that? By using squid_ldap_group to make the group membership lookups. Regards Henrik
Re: [squid-users] squid_ldap_auth works fine with Active Directory but..
On Fri, 26 Mar 2004, Berg, Matthias wrote: > A user enter there User name and wrong password(3 times) squid closes the > access to the internet with the error message ACCESS DENIED. That's Ok > too. > > But Active Directory will lock out the User Account. > Is that normally? If your domain policy says accounts are locked after three bad logins then three bad logins will lock the account, no matter how/where these logins is done. Regards Henrik
RE: [squid-users] squid_ldap_auth Windows 2003
On Fri, 27 Feb 2004, Craig Scott wrote: > But as ldapsearch works every time along with the other ldap tools and > facilities we employ does this not point towards the of squid_ldap_auth > module? Not sure. It does pretty much the same things as ldapsearch with a binddn specified. The only difference is that after the search have completed squid_ldap_auth rebinds as the user found in the directory. If your server rejected every request or the use of persistent LDAP connections this would make sense as a source of the problem, but not rejecting every second request to the LDAP server like your logs indicate. > Furthermore, as I mentioned squid_ldap_auth was working fine with > Windows 2000 active directory, the 2000 to 2003 active directory upgrade > process modifies the directory schema and introduces new security > settings might these be effecting the ldap queries performed by > squid_ldap_auth? Security settings may obviously have some effect, but these usually are a all or nothing. Regards Henrik
RE: [squid-users] squid_ldap_auth Windows 2003
But as ldapsearch works every time along with the other ldap tools and facilities we employ does this not point towards the of squid_ldap_auth module? Furthermore, as I mentioned squid_ldap_auth was working fine with Windows 2000 active directory, the 2000 to 2003 active directory upgrade process modifies the directory schema and introduces new security settings might these be effecting the ldap queries performed by squid_ldap_auth? Craig Scott IT Development Officer South Tyneside College Tel: (0191) 4273670 -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 27 February 2004 12:28 To: Craig Scott Cc: 'Henrik Nordstrom'; [EMAIL PROTECTED] Subject: RE: [squid-users] squid_ldap_auth Windows 2003 On Fri, 27 Feb 2004, Craig Scott wrote: > That is correct I am not using the persistent connections (-P), out of > curiosity I tried using the -P switch this morning but it has made no > difference. Then the operations of your AD is very odd indeed, refusing every second attempt to access the LDAP directory. Regards Henrik
RE: [squid-users] squid_ldap_auth Windows 2003
On Fri, 27 Feb 2004, Craig Scott wrote: > That is correct I am not using the persistent connections (-P), out of > curiosity I tried using the -P switch this morning but it has made no > difference. Then the operations of your AD is very odd indeed, refusing every second attempt to access the LDAP directory. Regards Henrik
RE: [squid-users] squid_ldap_auth Windows 2003
That is correct I am not using the persistent connections (-P), out of curiosity I tried using the -P switch this morning but it has made no difference. Craig Scott IT Development Officer South Tyneside College Tel: (0191) 4273670 -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 26 February 2004 19:05 To: Craig Scott Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] squid_ldap_auth Windows 2003 On Thu, 26 Feb 2004, Craig Scott wrote: > As squid_ldap_auth eventually returns an OK and ldapsearch works with > the same query I do not believe this problem to be related to security > permissions. > > Any on the cause of this and how it can be resolved? Not sure. The symptoms displayed could make sense if you were using persistent LDAP connections, but from what I can tell you are not (this is specified by the -P option to squid_ldap_auth). Regards Henrik
