Hi All,
I'm wondering if anyone can help me with the following issue I'm
having getting various non-domain devices (mainly tablets, but some non-domain
windows and apple mac computers) working with the basic_ldap_auth helper. I've
had a good search of the mailing list, as well as a huge trawl of the internet,
but I cannot get the helper to work within squid, and all information points to
the fact that I've got the command set up as it should be.
Testing on the command line works perfectly, with the helper returning the
correct information. As soon as I attempt to do the same through squid, it
fails, returning technically nothing.
I've even attempted different versions, from 3.2 right through to the latest
3.5, just in case there was a bug with one of the builds on the helper. All
have the same result.
In production, I've got the proxy working with domain devices via kerberos
authentication perfectly, but the basic ldap authentication fails. So I've got
a development system where the config has been stripped right back to check the
LDAP authentication, and the results are the same, so I know that I'm not
having problems with any other authentication method failover.
If I put the following line on the cli, then a domain username and password,
everything returns normally:
/usr/lib64/squid/basic_ldap_auth -d -v 3 -R -b "dc=domain,dc=com" -D
"CN=KerbAuth,OU=ServiceAccounts,DC=domain,DC=com" -W /etc/squid/kerbauth -f
sAMAccountName=%s -u uid -h windows2012r2.domain.com
Output:
ctest ctest3
basic_ldap_auth.cc(684): pid=20130 :user filter 'sAMAccountName=ctest',
searchbase 'dc=domain,dc=com'
basic_ldap_auth.cc(739): pid=20130 :attempting to authenticate user 'CN=Test
User,OU=Dept1,OU=Dept2,OU=Dept3,OU=Dept4,OU=Company,DC=domain,DC=com'
OK
However, when used within the squid.conf file, when a user attempts to
authenticate, the output in the cache.log is this:
basic_ldap_auth.cc(684): pid=20006 :user filter 'sAMAccountName=0', searchbase
'dc=domain,dc=com'
basic_ldap_auth.cc(706): pid=20006 :Ldap search returned nothing
I'm at a complete loss as to what to do next.
If there is any further information that I can provide, I would be more than
happy to provide it.
Cheers,
Monty
OS: Centos 6.6
Squid.conf file:
dns_v4_first on
dns_nameservers 10.7.128.21 10.7.128.22
negative_dns_ttl 5 minutes
forwarded_for delete
via off
cache_replacement_policy heap LFUDA
cache_swap_low 90
cache_swap_high 95
cache_dir aufs /cache 8192 16 256
cache_mem 256 MB
memory_pools on
maximum_object_size_in_memory 10 MB
maximum_object_size 50 MB
logfile_rotate 10
quick_abort_min 16 KB
quick_abort_max 16 KB
log_icp_queries off
client_db off
buffered_logs on
/usr/lib64/squid/basic_ldap_auth -d -v 3 -R -b "dc=domain,dc=com" -D
"CN=KerbAuth,OU=ServiceAccounts,DC=domain,DC=com" -W /etc/squid/kerbauth -f
sAMAccountName=%s -u uid -h windows2012r2.domain.com
auth_param basic children 80 startup=20 idle=10 concurrency=2
auth_param basic credentialsttl 5 hours
cache_peer 10.0.100.192 parent 8080 3130 no-query
cache_effective_user squid
cache_effective_group squid
visible_hostname Domain-Cache
acl SSL method CONNECT
acl SSL_ports port 443
acl SSL_ports port 1494 # Citrix XenApp
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 # https
acl Safe_ports port 1494 # Citrix XenApp
acl Safe_ports port 70 # ftp
acl Safe_ports port 210 # https
acl Safe_ports port 1025-65535 # gopher
acl Safe_ports port 280 # wais
acl Safe_ports port 488 # unregistered ports
acl Safe_ports port 591 # http-mgmt
acl Safe_ports port 777 # gss-http
acl Safe_ports port 143 # IMAP
acl Safe_ports port 993 # IMAP over SSL
acl Safe_ports port 82
acl GLOW_SMTP port 587
acl GLOW_IMAP port 993
acl CONNECT method CONNECT # filemaker
acl goodusers proxy_auth REQUIRED
deny_info ERR_BANNED badusers
http_access allow manager localhost
http_access deny all !goodusers
http_access allow all goodusers
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_port 3128
redirector_bypass off
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
delay_pools 0
access_log stdio:/var/log/squid/access.log
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
