[squid-users] basic_ldap_auth and 389 Directory Server configuration help

Tue Oct 14 16:17:30 UTC 2014

Greetings,

I've been trying to configure LDAP authentication to our proxy (CentOS 6.5) but have been unable to establish a connection with basic_ldap_auth. Following various online guides, I've configured Squid with the following options and it appears to be working as expected, with the exception of authentication.

Squid Cache: Version 3.4.8
configure options:  '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/lib/squid' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' '--enable-ltdlconvenience' '--with-ldap=yes' '--enable-debug-cbdata' --enable-ltdl-convenience

We have a 389 Directory Server (CentOS 6.5) with a very basic configuration, which also appears to work correctly. From the proxy host, we can successfully query the directory.

ldapsearch -LLLx -h ldap01 -p 389 -D 'cn=directory manager' -w {password} -b "ou=People,dc=ourdomain,dc=com"

results in

dn: uid=myusername,ou=People,dc=ourdomain,dc=com
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Name
givenName: First
uid: myusername
uidNumber: 556
gidNumber: 660
cn: First Name
homeDirectory: /home/myusername
mail: myusername at ourdomain.com
loginShell: /bin/tcsh
gecos: First Name
shadowLastChange: -1
shadowMin: -1
shadowMax: -1
shadowWarning: 7
userPassword:: e1NTBOR42203QmNGayx2VjcydAycFdminZNQk5YlNqYhxRGc9PQ=
 =

However, testing connectivity using the authentication module and the following arguments appears to yield a hang necessitating a ctrl-c exit.

/usr/lib64/squid/basic_ldap_auth -v 3 -b ou=People,dc=ourdomain,dc=com -D 'cn=directory manager' -w {password} -h ldap01 -Z

attempting the same with digest_ldap_auth doesn’t cause a hang but instead displays the usage instructions.

/usr/lib64/squid/digest_ldap_auth -v 3 -b ou=People,dc=ourdomain,dc=com -D 'cn=directory manager' -w {password}  -h ldap01 -Z

Modifying the arguments as below causes a hang

/usr/lib64/squid/digest_ldap_auth -b ou=People,dc=ourdomain,dc=com -A "cn=userPassword" -F "%s=uid" -D 'cn=directory manager' -w {password}  -h ldap01 -Z

Can somebody point me in the direction of the logs to be looking at to determine what could be wrong, or suggest some troubleshooting steps. The access log on the directory server suggests the authentication module isn’t able to to communicate when ldapsearch can, so I suspect my arguments are incorrect. I’d appreciate any tips.

Thanks.