[squid-users] Problems with ldap authentication

Amos Jeffries squid3 at treenet.co.nz
Tue Dec 8 08:23:38 UTC 2015 

On 8/12/2015 4:00 p.m., Marcio Demetrio Bacci wrote:
> I have changed my authentication block as below, but is not working.
> 
> The proxy user is a Read Only Domain Controller member. The password is
> correct.
> 
> Samba4, krb5-user and winbindd are installed and work perfectly. Do I need
> install any other package?

What authentication system do you think you are using? Basic or
Kerberos? because you configured Basic.

> 
> How can I test in command line?
> 

Everthign in squid.conf after the "auth_param basic program " is the
command line for the helper.
* Run that command line:
  /usr/lib/squid3/basic_ldap_auth \
   -b cn=users,dc=empresa,dc=com,dc=br \
   -D cn=proxy,cn=users,dc=empresa,dc=com,dc=br -w test_12345 \
   -h 192.168.0.25 -p 389 -s sub -v 3 -f "sAMAccountName=%s"

* If nothing happens and it just waits for input, it has started properly.

* Enter two words on each line, username and password for a user account
which might be using Squid. Try both valid and invalid combos.

* The helper will reply OK (valid) or ERR (invalid) if it has been a
successful check. BH if there was a failure.


> Have anything wrong in my authentication block ?
> 
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -b
> cn=users,dc=empresa,dc=com,dc=br -D
> cn=proxy,cn=users,dc=empresa,dc=com,dc=br -w test_12345 -h 192.168.0.25 -p
> 389 -s sub -v 3 -f "sAMAccountName=%s"
> auth_param basic children 50
> auth_param basic realm Proxy Server Squid
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off


Nothing particularly visible to me. But that said I'm not a regular user
of LDAP, so there could be something subtle hiding in the LDAP query
strings or ither parameters that deos not match what your LDAP service
needs.


> 
> With the command "ldbsearch -H /opt/samba/private/sam.ldb
> '(objectclass=user)' uidNumber gidNumber ", my result is:
> # record 881
> dn: CN=proxy,CN=Users,DC=empresa,DC=com,DC=br
> uidNumber: 10558
> gidNumber: 30037
> 

The U on Users is upper case in this test. It is lower case in your
config file.

The DC/dc CN/cn values are also different case. That might matter to
your LDAP system.

If either of those turn out to be the problem, then you will need to fix
the -b parameter as well.


Amos

More information about the squid-users mailing list