[squid-users] Squid - Domino LDAP Auth (and a little Websphere SSO)

Thu, 29 Nov 2007 14:36:15 -0800 


Greetings,
Have a bit of a problem trying to get Squid authentication working against a Lotus Domino LDAP directory. The actual authentication part is OK, if I want everyone in my Domino directory to have access through Squid it is not a problem, the real issue arises when I try to filter it based on group membership.
I have been through all the past mailing list articles in regards to this topic, and I've tried a whole bunch of different things, and I'm not having any luck (my LDAP skills are weak)
Taking a step back, what I'm actually trying to acheive here is single sign on between IBM Websphere Portal 6.0 and Squid (2.5.STABLE3), so that after my users sign on to Portal, they are not prompted for their internet password when they try to visit external sites linked from the portal. Websphere is already using the Domino LDAP for user authentication, so I figured that getting the 2 apps authenticating from the same place is a good start.
Please find below the relevent pieces of my current squid.conf, if anyone could shed any light as to what I'm doing incorrectly here, it would be greatly appreciated. 


--------------------------------------

#  TAG: auth_param
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "" -f uid=%s xx.xx.xx.xx 
--------------------------------------
#  TAG: external_acl_type
external_acl_type inetusers %LOGIN /usr/lib/squid/squid_ldap_group -b "" -f "(&(cn=%g)(objectClass=groupOfNames)(member=%u))" -F "(&(uid=%s)(objectClass=Person))" xx.xx.xx.xx 
--------------------------------------
#  TAG: acl

acl ldap_password proxy_auth required
acl inet_users external inetusers ProxyUsers
--------------------------------------
#  TAG: http_access

http_access allow inet_users
http_access allow localhost
http_access deny all
--------------------------------------
I hope that this is enough information to show what it is that I am doing, I'm pretty sure those are all the relevent bits. Note that without the external ACL, the authentication works perfectly. I would like to restrict access to members of the LDAP group "ProxyUsers". 

I look forward to any assistance.

Regards,

Chris Mitchell

Reply via email to