Hello
I've read the wiki about Squid and LDAP AUTH but in the examples it seems it is necessary to write a user LDAP passwd in the command line. Is there a possibility to use the anonymous LDAP binding method to let users authenticate ? auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=yourcompany,dc=com" -D uid=some-user,ou=People,dc=yourcompany,dc=com -w password -f uid=%s ldap.yourcompany.com ^^^^^^^^^^^^^ ^^^^^^^^^ Thank you -- Cordialement Frank Bonnet // Machines MUST help // |
tis 2007-05-15 klockan 14:40 +0200 skrev Frank Bonnet:
> Hello > > I've read the wiki about Squid and LDAP AUTH but in the examples > it seems it is necessary to write a user LDAP passwd in the > command line. Only if anonymous binding does not allow searches.. > Is there a possibility to use the anonymous LDAP binding method to let > users authenticate ? Sure, just don't specify the bind DN (-D option, and it's related -w option). Regards Henrik |
In reply to this post by Frank Bonnet
This section works perfectly at my site
auth_param basic program /usr/lib/squid/ldap_auth -bou=People,dc=iwu,dc=edu -f "(&(ProxyAccess=yes)(uid=%s))" ldap.domain.tld:389 It binds as the user doing the login so no passwords need to be recorded. Pat On Tue, 2007-05-15 at 14:40 +0200, Frank Bonnet wrote: > Hello > > I've read the wiki about Squid and LDAP AUTH but in the examples > it seems it is necessary to write a user LDAP passwd in the > command line. > > Is there a possibility to use the anonymous LDAP binding method to let > users authenticate ? > > auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=yourcompany,dc=com" -D > uid=some-user,ou=People,dc=yourcompany,dc=com -w password -f uid=%s ldap.yourcompany.com > ^^^^^^^^^^^^^ ^^^^^^^^^ > > > Thank you > -- > > Cordialement > Frank Bonnet > // Machines MUST help // |
In reply to this post by Henrik Nordström
Henrik Nordstrom wrote:
> tis 2007-05-15 klockan 14:40 +0200 skrev Frank Bonnet: >> Hello >> >> I've read the wiki about Squid and LDAP AUTH but in the examples >> it seems it is necessary to write a user LDAP passwd in the >> command line. > > Only if anonymous binding does not allow searches.. yes of course :-) > >> Is there a possibility to use the anonymous LDAP binding method to let >> users authenticate ? > > Sure, just don't specify the bind DN (-D option, and it's related -w > option). OK thank you -- Cordialement Frank Bonnet // Machines MUST help // |
In reply to this post by Pat Riehecky
Pat Riehecky wrote:
> This section works perfectly at my site > > auth_param basic program /usr/lib/squid/ldap_auth > -bou=People,dc=iwu,dc=edu -f "(&(ProxyAccess=yes)(uid=%s))" > ldap.domain.tld:389 > > well thank you, this one works for me auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b ou=People,dc=esiee,dc=fr -f uid=%s ldap.esiee.fr -- Cordialement Frank Bonnet // Machines MUST help // |
In reply to this post by Henrik Nordström
Henrik Nordstrom, on 05/15/2007 05:55 PM [GMT+500], wrote :
> Sure, just don't specify the bind DN (-D option, and it's related -w > option). > > > Thanks, squidLDAP wiki has also been updated with this. |
In reply to this post by Pat Riehecky
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Hi Pat, squid-users, On 05/15/2007 09:55 AM, Pat Riehecky wrote: > This section works perfectly at my site > > auth_param basic program /usr/lib/squid/ldap_auth > -bou=People,dc=iwu,dc=edu -f "(&(ProxyAccess=yes)(uid=%s))" > ldap.domain.tld:389 Are you using ProxyAccess attribute from RedHat (or Fedora) schema? Or did you manage to implement it in another way? I tried to find it but I only got information and schemas related to RedHat and Fedora schema (and Fedora Directory Server). Kind regards, - -- Felipe Augusto van de Wiel <[hidden email]> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGScoxCj65ZxU4gPQRAnNPAJ9lsOSajph1z6RcqD14dMsjJoWBqwCgjsVc TtfENeC9WzK179dkIjTsxZ4= =EEhL -----END PGP SIGNATURE----- |
The ProxyAccess attribute is something I have home-made and loaded into
my schema. It was left in the sample to provide a way of testing against some type of attribute to validate this user has authorization to use the service as well as a valid password for an existing account (Squid has the AAA framework internally would be a shame to disrupt it for access rights). If you find this curious here is a good doc on the subject of exteninding the LDAP schema http://www.openldap.org/doc/admin23/schema.html Pat On Tue, 2007-05-15 at 11:56 -0300, Felipe Augusto van de Wiel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Pat, squid-users, > > On 05/15/2007 09:55 AM, Pat Riehecky wrote: > > This section works perfectly at my site > > > > auth_param basic program /usr/lib/squid/ldap_auth > > -bou=People,dc=iwu,dc=edu -f "(&(ProxyAccess=yes)(uid=%s))" > > ldap.domain.tld:389 > > Are you using ProxyAccess attribute from RedHat (or > Fedora) schema? Or did you manage to implement it in another > way? > > I tried to find it but I only got information and > schemas related to RedHat and Fedora schema (and Fedora Directory > Server). > > > Kind regards, > > - -- > Felipe Augusto van de Wiel <[hidden email]> > Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE > http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGScoxCj65ZxU4gPQRAnNPAJ9lsOSajph1z6RcqD14dMsjJoWBqwCgjsVc > TtfENeC9WzK179dkIjTsxZ4= > =EEhL > -----END PGP SIGNATURE----- |
Free forum by Nabble | Edit this page |