[squid-users] Using LDAP and NCSA auth

Amos Jeffries squid3 at treenet.co.nz
Tue Nov 18 12:12:22 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 19/11/2014 12:30 a.m., schinken wrote:
> Hi there,
> 
> i'm currently trying to do authentication against LDAP and NCSA
> auth - but it looks like, the user is never checked against NCSA if
> auth against LDAP failed (because the user doesn't exist):
> 
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
>> "dc=COMPANY,dc=int" -D squid at company.int -W
>> /etc/squid3/ldappass.txt -f sAMAccountName=%s -h
>> ldap.company.int auth_param basic children 100 auth_param basic
>> realm Internet Proxy auth_param basic credentialsttl 5 minute
>> 
>> auth_param basic program /usr/lib/squid3/basic_ncsa_auth
>> /etc/squid3/passwd auth_param basic realm Internet Proxy Basic
>> 
>> acl auth proxy_auth REQUIRED
> 
> If i try ncsa auth manually, it works:
> 
>> root at proxy:~# /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd 
>> nikola testla OK
> 
> 
> The same is true for LDAP auth. But i can't get a fallback working.
> How could i solve this?

Two points:

1) Squid does not do authentication. What it does do is send
credentials to a helper and uses the OK/ERR response that comes back
to determine whether to serve the client request. That is all.

2) Each authentication scheme may only have one helper queried. Its
answer is absolute regarding the validity of the credentials sent to it.


Since you decided to write your own authentication system {check
against A, if ERR check against B} you also need to write a helper
that can do the authentication using that system logic.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUazekAAoJELJo5wb/XPRj6p0IANu5XsqkLFlj8pamP60LsXfp
VNxMbRHFBADauR7yaWUIbz+3Wif1ojr/nQg3tiXhb+1skUDOi1iIziPi3C9QvewI
FBlmcHBgIVHm+GfYHm4rfALnyi7lVXPX0Q9uJy4R+0xGzQw0mqgCRQ9QnYD+SUyB
euITq/X6AjDXKKT1fLbJ82DfiAYbukVTLXdXoBFKQ24semNcmHztoeBPuSeyFtBO
Yfu3SkR7J2zXolBt7o/q8nFXJSNzspuwjmIeIZGY7DliBoQtzSII/psiKI/QHusk
Q5/qb3S74uxhmvFhIbuflL0smYgIqezlILHqulZL60ob0tHAGrRnoYVnIYjVd/k=
=Ujkt
-----END PGP SIGNATURE-----


More information about the squid-users mailing list