Squid Web Proxy Cache Squid - Users

Anonymous LDAP binding with LDAP AUTH ?

classic Classic list List threaded Threaded
8 messages Options
Frank Bonnet
Reply | Threaded
Open this post in threaded view
|

Anonymous LDAP binding with LDAP AUTH ?

Frank Bonnet
Hello

I've read the wiki about Squid and LDAP AUTH but in the examples
it seems it is necessary to write a user LDAP passwd in the
command line.

Is there a possibility to use the anonymous LDAP binding method to let
users authenticate ?

auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=yourcompany,dc=com" -D
uid=some-user,ou=People,dc=yourcompany,dc=com  -w password -f uid=%s ldap.yourcompany.com
^^^^^^^^^^^^^                                    ^^^^^^^^^


Thank you
--

Cordialement
Frank Bonnet
// Machines MUST help //
Henrik Nordström
Reply | Threaded
Open this post in threaded view
|

Re: Anonymous LDAP binding with LDAP AUTH ?

Henrik Nordström
tis 2007-05-15 klockan 14:40 +0200 skrev Frank Bonnet:
> Hello
>
> I've read the wiki about Squid and LDAP AUTH but in the examples
> it seems it is necessary to write a user LDAP passwd in the
> command line.

Only if anonymous binding does not allow searches..

> Is there a possibility to use the anonymous LDAP binding method to let
> users authenticate ?

Sure, just don't specify the bind DN (-D option, and it's related -w
option).

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Pat Riehecky
Reply | Threaded
Open this post in threaded view
|

Re: Anonymous LDAP binding with LDAP AUTH ?

Pat Riehecky
In reply to this post by Frank Bonnet
This section works perfectly at my site

auth_param basic program /usr/lib/squid/ldap_auth
-bou=People,dc=iwu,dc=edu -f "(&(ProxyAccess=yes)(uid=%s))"
ldap.domain.tld:389

It binds as the user doing the login so no passwords need to be
recorded.

Pat


On Tue, 2007-05-15 at 14:40 +0200, Frank Bonnet wrote:

> Hello
>
> I've read the wiki about Squid and LDAP AUTH but in the examples
> it seems it is necessary to write a user LDAP passwd in the
> command line.
>
> Is there a possibility to use the anonymous LDAP binding method to let
> users authenticate ?
>
> auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=yourcompany,dc=com" -D
> uid=some-user,ou=People,dc=yourcompany,dc=com  -w password -f uid=%s ldap.yourcompany.com
> ^^^^^^^^^^^^^                                    ^^^^^^^^^
>
>
> Thank you
> --
>
> Cordialement
> Frank Bonnet
> // Machines MUST help //

Frank Bonnet
Reply | Threaded
Open this post in threaded view
|

Re: Anonymous LDAP binding with LDAP AUTH ?

Frank Bonnet
In reply to this post by Henrik Nordström
Henrik Nordstrom wrote:
> tis 2007-05-15 klockan 14:40 +0200 skrev Frank Bonnet:
>> Hello
>>
>> I've read the wiki about Squid and LDAP AUTH but in the examples
>> it seems it is necessary to write a user LDAP passwd in the
>> command line.
>
> Only if anonymous binding does not allow searches..

yes of course :-)

>
>> Is there a possibility to use the anonymous LDAP binding method to let
>> users authenticate ?
>
> Sure, just don't specify the bind DN (-D option, and it's related -w
> option).

OK thank you

--
Cordialement
Frank Bonnet
// Machines MUST help //
Frank Bonnet
Reply | Threaded
Open this post in threaded view
|

Re: Anonymous LDAP binding with LDAP AUTH ?

Frank Bonnet
In reply to this post by Pat Riehecky
Pat Riehecky wrote:
> This section works perfectly at my site
>
> auth_param basic program /usr/lib/squid/ldap_auth
> -bou=People,dc=iwu,dc=edu -f "(&(ProxyAccess=yes)(uid=%s))"
> ldap.domain.tld:389
>
>

well thank you, this one works for me

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
ou=People,dc=esiee,dc=fr -f uid=%s ldap.esiee.fr

--
Cordialement
Frank Bonnet
// Machines MUST help //
Slacker-4
Reply | Threaded
Open this post in threaded view
|

Re: Anonymous LDAP binding with LDAP AUTH ?

Slacker-4
In reply to this post by Henrik Nordström
Henrik Nordstrom, on 05/15/2007 05:55 PM [GMT+500], wrote :
> Sure, just don't specify the bind DN (-D option, and it's related -w
> option).
>
>
>  
Thanks, squidLDAP wiki has also been updated with this.
Felipe Augusto van de Wiel
Reply | Threaded
Open this post in threaded view
|

LDAP ProxyAccess field (was: Re: [squid-users] Anonymous LDAP binding with LDAP AUTH ?)

Felipe Augusto van de Wiel
In reply to this post by Pat Riehecky
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pat, squid-users,

On 05/15/2007 09:55 AM, Pat Riehecky wrote:
> This section works perfectly at my site
>
> auth_param basic program /usr/lib/squid/ldap_auth
> -bou=People,dc=iwu,dc=edu -f "(&(ProxyAccess=yes)(uid=%s))"
> ldap.domain.tld:389

        Are you using ProxyAccess attribute from RedHat (or
Fedora) schema? Or did you manage to implement it in another
way?

        I tried to find it but I only got information and
schemas related to RedHat and Fedora schema (and Fedora Directory
Server).


        Kind regards,

- --
Felipe Augusto van de Wiel <[hidden email]>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGScoxCj65ZxU4gPQRAnNPAJ9lsOSajph1z6RcqD14dMsjJoWBqwCgjsVc
TtfENeC9WzK179dkIjTsxZ4=
=EEhL
-----END PGP SIGNATURE-----
Pat Riehecky
Reply | Threaded
Open this post in threaded view
|

Re: LDAP ProxyAccess field (was: Re: [squid-users] Anonymous LDAP binding with LDAP AUTH ?)

Pat Riehecky
The ProxyAccess attribute is something I have home-made and loaded into
my schema.  It was left in the sample to provide a way of testing
against some type of attribute to validate this user has authorization
to use the service as well as a valid password for an existing account
(Squid has the AAA framework internally would be a shame to disrupt it
for access rights).

If you find this curious here is a good doc on the subject of
exteninding the LDAP schema
http://www.openldap.org/doc/admin23/schema.html

Pat


On Tue, 2007-05-15 at 11:56 -0300, Felipe Augusto van de Wiel wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Pat, squid-users,
>
> On 05/15/2007 09:55 AM, Pat Riehecky wrote:
> > This section works perfectly at my site
> >
> > auth_param basic program /usr/lib/squid/ldap_auth
> > -bou=People,dc=iwu,dc=edu -f "(&(ProxyAccess=yes)(uid=%s))"
> > ldap.domain.tld:389
>
> Are you using ProxyAccess attribute from RedHat (or
> Fedora) schema? Or did you manage to implement it in another
> way?
>
> I tried to find it but I only got information and
> schemas related to RedHat and Fedora schema (and Fedora Directory
> Server).
>
>
> Kind regards,
>
> - --
> Felipe Augusto van de Wiel <[hidden email]>
> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
> http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGScoxCj65ZxU4gPQRAnNPAJ9lsOSajph1z6RcqD14dMsjJoWBqwCgjsVc
> TtfENeC9WzK179dkIjTsxZ4=
> =EEhL
> -----END PGP SIGNATURE-----

Free forum by Nabble Edit this page