Greetings,
I've been trying to configure LDAP authentication to our proxy (CentOS 6.5) but
have been unable to establish a connection with basic_ldap_auth. Following
various online guides, I've configured Squid with the following options and it
appears to be working as expected, with the exception of authentication.
Squid Cache: Version 3.4.8
configure options: '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/lib/squid' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
'--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-removal-policies=heap,lru' '--enable-snmp'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi'
'--enable-ssl' '--enable-ssl-crtd' '--enable-icmp' '--with-aio'
'--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl'
'--with-openssl' '--with-pthreads' '--with-included-ltdl'
'--disable-arch-native' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC'
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
'--enable-ltdlconvenience' '--with-ldap=yes' '--enable-debug-cbdata'
--enable-ltdl-convenience
We have a 389 Directory Server (CentOS 6.5) with a very basic configuration,
which also appears to work correctly. From the proxy host, we can successfully
query the directory.
ldapsearch -LLLx -h ldap01 -p 389 -D 'cn=directory manager' -w {password} -b
"ou=People,dc=ourdomain,dc=com"
results in
dn: uid=myusername,ou=People,dc=ourdomain,dc=com
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Name
givenName: First
uid: myusername
uidNumber: 556
gidNumber: 660
cn: First Name
homeDirectory: /home/myusername
mail: myusern...@ourdomain.com
loginShell: /bin/tcsh
gecos: First Name
shadowLastChange: -1
shadowMin: -1
shadowMax: -1
shadowWarning: 7
userPassword:: e1NTBOR42203QmNGayx2VjcydAycFdminZNQk5YlNqYhxRGc9PQ=
=
However, testing connectivity using the authentication module and the following
arguments appears to yield a hang necessitating a ctrl-c exit.
/usr/lib64/squid/basic_ldap_auth -v 3 -b ou=People,dc=ourdomain,dc=com -D
'cn=directory manager' -w {password} -h ldap01 -Z
attempting the same with digest_ldap_auth doesn’t cause a hang but instead
displays the usage instructions.
/usr/lib64/squid/digest_ldap_auth -v 3 -b ou=People,dc=ourdomain,dc=com -D
'cn=directory manager' -w {password} -h ldap01 -Z
Modifying the arguments as below causes a hang
/usr/lib64/squid/digest_ldap_auth -b ou=People,dc=ourdomain,dc=com -A
"cn=userPassword" -F "%s=uid" -D 'cn=directory manager' -w {password} -h
ldap01 -Z
Can somebody point me in the direction of the logs to be looking at to
determine what could be wrong, or suggest some troubleshooting steps. The
access log on the directory server suggests the authentication module isn’t
able to to communicate when ldapsearch can, so I suspect my arguments are
incorrect. I’d appreciate any tips.
Thanks.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
