[squid-users] LDAP Auth Problem

From: Jayson Henkel <jhenkel@dont-contact.us>
Date: Fri, 14 May 2004 10:35:52 -0600

Not sure if the first one didn't get through or not so I apologize for
the repost. This issue has me baffled:

I am attempting to use LDAP authentication for Squid.

I have configured the plugin as follows:

auth_param basic program /usr/lib/squid/ldap_auth -b
ou=people,dc=sterlingcrane,dc=ca -H ldaps://ldap.sterlingcrane.ca -v 3
-s sub -f (&(objectclass=account) (uid=%s))

I have verified that it works from the command line, having submitted
multiple username and password pairs and getting the OK response.

My entire auth_param section looks like this:

auth_param basic program /usr/lib/squid/ldap_auth -b
ou=people,dc=sterlingcrane,dc=ca -H ldaps://ldap.sterlingcrane.ca -v 3
-s sub -f (&(objectclass=account) (uid=%s))
auth_param basic realm Sterling Crane Internet Login
auth_param basic children 10
auth_param basic credentialsttl 2 hours
acl authed proxy_auth REQUIRED
http_access allow authed
http_access deny all

Monitoring cache.log all I see is
Unable to connect to LDAPURI:ldaps://ldap.sterlingcrane.ca (uid=%s))
2004/05/13 09:34:12| WARNING: basicauthenticator #3 (FD 13) exited
Unable to connect to LDAPURI:ldaps://ldap.sterlingcrane.ca (uid=%s))
2004/05/13 09:39:36| WARNING: basicauthenticator #3 (FD 14) exited

I am using
Squid Cache: Version 2.5.STABLE5
configure options: --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin
--sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc
--localstatedir=/var/spool/squid --datadir=/usr/share/squid
--enable-async-io --with-pthreads --enable-storeio=ufs,aufs,diskd,null
--enable-linux-netfilter --enable-arp-acl
--enable-removal-policies=lru,heap --enable-snmp --enable-delay-pools
--enable-htcp --enable-poll --enable-cache-digests --enable-underscores
--enable-referer-log --enable-useragent-log
--enable-auth=basic,digest,ntlm i386-debian-linux

I've watched the ldap transactions when using the ldap_auth from the
command line and can see the transaction. However, I don't believe the
plugin is getting executed properly from within squid because I never
seem to see equivalent action when trying to login to the
browser.(Galeon)

I did set the debugging options to ALL,9
which produced this:

2004/05/12 16:39:34| aclMatchAclList: checking localhost
2004/05/12 16:39:34| aclMatchAcl: checking 'acl localhost src
127.0.0.1/255.255.255.255'
2004/05/12 16:39:34| aclMatchIp: '192.168.100.25' NOT found
2004/05/12 16:39:34| aclMatchAclList: no match, returning 0
2004/05/12 16:39:34| cbdataLock: 0x8246e28
2004/05/12 16:39:34| cbdataUnlock: 0x8246bb0
2004/05/12 16:39:34| cbdataValid: 0x8246e28
2004/05/12 16:39:34| aclCheck: checking 'http_access allow authed'
2004/05/12 16:39:34| aclMatchAclList: checking authed
2004/05/12 16:39:34| aclMatchAcl: checking 'acl authed proxy_auth
REQUIRED'
2004/05/12 16:39:34| authenticateAuthenticate: header Basic
amhlbmtlbDpGdWhyMzE=.
2004/05/12 16:39:34| authenticateAuthenticate: This is a new checklist
test on FD:26
2004/05/12 16:39:34| authenticateAuthenticate: no connection
authentication type
2004/05/12 16:39:34| authenticateAuthUserRequestLock auth_user request
'0x8507e48'.
2004/05/12 16:39:34| authenticateAuthUserRequestLock auth_user request
'0x8507e48' now at '1'.
2004/05/12 16:39:34| authenticateDecodeAuth: header = 'Basic
amhlbmtlbDpGdWhyMzE='
2004/05/12 16:39:34| authenticateBasicDecodeAuth: cleartext =
'Username:Password'
2004/05/12 16:39:34| authBasicAuthUserFindUsername: Looking for user
'Username'
2004/05/12 16:39:34| authBasicDecodeAuth: Found user 'Username' in the
user cache as '0x8507e90'
2004/05/12 16:39:34| authBasicDecodeAuth: last attempt to authenticate
this user failed, resetting auth state to unchecked
2004/05/12 16:39:34| authenticateAuthUserLock auth_user '0x8507e90'.
2004/05/12 16:39:34| authenticateAuthUserLock auth_user '0x8507e90' now
at '2'.
2004/05/12 16:39:34| authenticateValidateUser: Validating Auth_user
request '0x8507e48'.
2004/05/12 16:39:34| authenticateValidateUser: Validated Auth_user
request '0x8507e48'.
2004/05/12 16:39:34| authenticateValidateUser: Validating Auth_user
request '0x8507e48'.
2004/05/12 16:39:34| authenticateValidateUser: Validated Auth_user
request '0x8507e48'.
2004/05/12 16:39:34| User not authenticated or credentials need
rechecking.
2004/05/12 16:39:34| authenticateValidateUser: Validating Auth_user
request '0x8507e48'.
2004/05/12 16:39:34| authenticateValidateUser: Validated Auth_user
request '0x8507e48'.
2004/05/12 16:39:34| User not authenticated or credentials need
rechecking.
2004/05/12 16:39:34| aclMatchAcl: returning 0 sending credentials to
helper.
2004/05/12 16:39:34| aclMatchAclList: no match, returning 0
2004/05/12 16:39:34| aclCheck: checking password via authenticator
2004/05/12 16:39:34| authenticateValidateUser: Validating Auth_user
request '0x8507e48'.
2004/05/12 16:39:34| authenticateValidateUser: Validated Auth_user
request '0x8507e48'.
2004/05/12 16:39:34| authenticateStart: auth_user_request '0x8507e48'
2004/05/12 16:39:34| authenticateStart: 'Username:Password'
2004/05/12 16:39:34| cbdataLock: 0x8503cf8
2004/05/12 16:39:34| authenticateAuthUserRequestLock auth_user request
'0x8507e48'.
2004/05/12 16:39:34| authenticateAuthUserRequestLock auth_user request
'0x8507e48' now at '2'.
2004/05/12 16:39:34| cbdataLock: 0x8503e68
2004/05/12 16:39:34| cbdataValid: 0x8503e68
2004/05/12 16:39:34| comm_write: FD 13: sz 15: hndl (nil): data (nil).
2004/05/12 16:39:34| commSetSelect: FD 13 type 2
2004/05/12 16:39:34| commSetSelect: FD 13 type 1
2004/05/12 16:39:34| helperDispatch: Request sent to basicauthenticator
#2, 15 bytes
2004/05/12 16:39:34| helperSubmit: Username Password

I replaced a real user with Username and Password in the previous
snippet.

Can anyone advise what might be wrong?
Received on Fri May 14 2004 - 10:34:22 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Jun 01 2004 - 12:00:01 MDT