I run the following as asked with the following output:
ldapsearch -x -h 10.61.1.248 -b "" -s base "" namingContexts # extended LDIF # # LDAPv3 # base <> with scope base # filter: (objectclass=*) # requesting: namingContexts #
# dn: namingContexts: DC=bdmn,DC=foo,DC=com namingContexts: CN=Schema,CN=Configuration,DC=foo,DC=com namingContexts: CN=Configuration,DC=foo,DC=com
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I then added in my squid conf file, I commented the ncsa_auth line below and added the ldap_auth line.
#auth_param basic program /usr/local/squid/bin/squid ncsa_auth /usr/local/squid/etc/passwd
auth_param basic program /usr/local/squid/bin/squid_ldap_auth -u cn -b cn=users,dc=bdmn,dc=foo,dc=com 10.61.1.248
auth_param basic children 5
I am still unable to authenticate.
I also tried
auth_param basic program /usr/local/squid/bin/squid_ldap_auth -b dc=bdmn,dc=foo,dc=com 10.61.1.248
Thanks
On Nov 5, 2003, at 10:08 AM, Henrik Nordstrom wrote:
On Wed, 5 Nov 2003 [EMAIL PROTECTED] wrote:
I could use some guidence configuring my squid installation with a Windows
2000 Active Directory forrest. I have read the past posts as well as the
man page. I am very new to LDAP and will admit have not gotten my arms
around it yet.
My windows domain lives in an Active Directory Forrest my corporate offices mantains. My domain lives at bdmdom.corp.com. I am trying to connect and authenticate against my Exchange server at my location. I have Admin rights over my domain.
Can someone please point me in the correct direction or provide the squid
config for an LDAP connection to Windows 2000?
The first step is figuring out the Base DN of your AD server. This is usually the domain directly translated into dn components
dn=bdmdom, dn=corp, dn=com
it might also be possible to ask the AD server what it's naming contexts
are:
ldapsearch -x -h your.ad.server -b "" -s base "" namingContexts
then, if your AD allows for anonymous searches you should be able to use
the example from the squid_ldap_auth manual as is, just replacing the base
DN.
If your AD does not allow anonymous searches then a dummy account is
needed to be created, and some digging required to find the LDAP name of
this account. The LDAP name of the account can probably be found in the
MSAD administration tool as a property of the account, if not you can try
to guess what it is. Guessing is usually not to hard as there is a very
close relation between AD structure and LDAP DN names of objects in that
structure, where each container is named with a cn attribute in LDAP. Thus
if you have the user "squid" in the container "users" then the LDAP DN of
this user should be "cn=squid, cn=users, dc=bdmdom, dn=corp, dn=com".
It is strongly adviced to use ldapsearch and other LDAP navigation tools
to familarise yourself a little with how the AD looks like via LDAP.
Things do get a whole lot more obvious once one has looked at the AD tree
via LDAP a little.
Regards Henrik
