Joe,
I eventually got it to work. Had to configure OpenLDAP to allow bind_v2.
I am running squid 2.4 and I dont think my version of squid_ldap_auth
supports a flag for doing v3 protocol. Also, I don't seem to have an
"ldap_auth".
-john
On Sep 9, 2004, at 7:48 PM, Joseph Rinckey wrote:
> John, I'm still learning so this may or may not help you. I had a
> simialr problem only I used ldap_auth not squid_ldap_auth. Anyway, in
> order to get my squid to work with OpenLDAP I had to use the -h (host)
> -p (port) and -v (protocol version) options.
>
> Here is what I have in my squid.conf:
>
> auth_param basic program /usr/lib/squid/ldap_auth -b
> ou=people,dc=pineriver,dc=k12,dc=mi,dc=us -s sub -h 192.168.0.13 -p
> 389 -v 3 -f uid=%s
>
> As you might have read from one of my other posts squid is running
> slow for me and this might be why, I don't know what is causing it
> yet. It's worth a shot though!
>
> Hope that helps,
>
>
> Joseph Rinckey
>
>
> John Von Essen wrote:
>> After doing lots of googling, I am still coming up empty. Here is my
>> problem:
>> We have BEEN running squid_ldap_auth against Netscape Directory
>> server. We have switched to an OpenLDAP server v2.2.15 and can no
>> longer successfully authenticate for squid proxy server using
>> squid_ldap_auth.
>> In squid.conf:
>> authenticate_program /usr/local/sbin/squid_ldap_auth -b o=eastern.edu
>> -f uid=%s ldapserver.domain.com Example user entry in OpenLDAP on
>> ldapserver.domain.com:
>> dn: uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu
>> cn: Bob Smith
>> givenName: Bob
>> sn: Smith
>> uid: bob
>> userPassword:: ABCXYZ
>> mail: bob@eastern.edu
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetOrgPerson
>> Where ABCXYZ is the base64 encoded cleartext password.
>> I have the following acl's in my slapd.conf:
>> access to attrs=userPassword
>> by * auth
>> access to *
>> by * read
>> The above is to prevent anonymous from seeing passwords. Given the
>> above, when I try to run squid_ldap_auth by hand for uid/pass for
>> "bob" I always get ERR. Below is some log level 1 data from openldap
>> log. It looks like it is able to connect, it finds the DN for uid=bob
>> using an anonymous bind, it then binds using bob's dn, but then some
>> errors.
>> Sep 9 17:12:25 daniel slapd[17757]: connection_get(14): got
>> connid=341
>> Sep 9 17:12:25 daniel slapd[17757]: connection_read(14): checking
>> for input on id=341
>> Sep 9 17:12:25 daniel slapd[17757]: ber_get_next on fd 14 failed
>> errno=11 (Resource temporarily unavailable)
>> Sep 9 17:12:25 daniel slapd[17757]: do_search
>> Sep 9 17:12:25 daniel slapd[17757]: >>> dnPrettyNormal:
>> <o=eastern.edu>
>> Sep 9 17:12:25 daniel slapd[17757]: <<< dnPrettyNormal:
>> <o=eastern.edu>, <o=eastern.edu>
>> Sep 9 17:12:25 daniel slapd[17757]: ==> limits_get: conn=341 op=0
>> dn="[anonymous]"
>> Sep 9 17:12:25 daniel slapd[17757]: => bdb_search
>> Sep 9 17:12:25 daniel slapd[17757]: bdb_dn2entry("o=eastern.edu")
>> Sep 9 17:12:25 daniel slapd[17757]: search_candidates:
>> base="o=eastern.edu" (0x00000001) scope=2
>> Sep 9 17:12:25 daniel slapd[17757]: => bdb_dn2idl( "o=eastern.edu" )
>> Sep 9 17:12:25 daniel slapd[17757]: => bdb_equality_candidates
>> (objectClass)
>> Sep 9 17:12:25 daniel slapd[17757]: => key_read
>> Sep 9 17:12:25 daniel slapd[17757]: <= bdb_index_read: failed
>> (-30990)
>> Sep 9 17:12:25 daniel slapd[17757]: <= bdb_equality_candidates:
>> id=0, first=0, last=0
>> Sep 9 17:12:25 daniel slapd[17757]: => bdb_equality_candidates (uid)
>> Sep 9 17:12:25 daniel slapd[17757]: <= bdb_equality_candidates:
>> (uid) index_param failed (18)
>> Sep 9 17:12:25 daniel slapd[17757]: bdb_search_candidates: id=-1
>> first=1 last=5619
>> Sep 9 17:12:28 daniel slapd[17757]: bdb_search: 1 does not match
>> filter
>> ...
>> Sep 9 17:12:28 daniel slapd[17757]: bdb_search: 5619 does not match
>> filter
>> Sep 9 17:12:28 daniel slapd[17757]: send_ldap_result: conn=342 op=0
>> p=3
>> Sep 9 17:12:28 daniel slapd[17757]: send_ldap_response: msgid=1
>> tag=101 err=0
>> Sep 9 17:12:28 daniel slapd[17757]: connection_get(14): got
>> connid=342
>> Sep 9 17:12:28 daniel slapd[17757]: connection_read(14): checking
>> for input on id=342
>> Sep 9 17:12:28 daniel slapd[17757]: ber_get_next on fd 14 failed
>> errno=11 (Resource temporarily unavailable)
>> Sep 9 17:12:28 daniel slapd[17757]: do_bind
>> Sep 9 17:12:28 daniel slapd[17757]: >>> dnPrettyNormal:
>> <uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu>
>> Sep 9 17:12:28 daniel slapd[17757]: <<< dnPrettyNormal:
>> <uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu>,
>> <uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu>
>> Sep 9 17:12:28 daniel slapd[17757]: do_bind: version=2
>> dn="uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu" method=128
>> Sep 9 17:12:28 daniel slapd[17757]: send_ldap_result: conn=342 op=1
>> p=2
>> Sep 9 17:12:28 daniel slapd[17757]: send_ldap_response: msgid=2
>> tag=97 err=2
>> Sep 9 17:12:28 daniel slapd[17757]: connection_get(14): got
>> connid=342
>> Sep 9 17:12:28 daniel slapd[17757]: connection_read(14): checking
>> for input on id=342
>> Sep 9 17:12:28 daniel slapd[17757]: ber_get_next on fd 14 failed
>> errno=0 (Error 0)
>> Sep 9 17:12:28 daniel slapd[17757]: connection_read(14): input
>> error=-2 id=342, closing.
>> Sep 9 17:12:28 daniel slapd[17757]: connection_closing: readying
>> conn=342 sd=14 for close
>> Sep 9 17:12:28 daniel slapd[17757]: connection_close: deferring
>> conn=342 sd=14
>> Sep 9 17:12:28 daniel slapd[17757]: do_unbind
>> Sep 9 17:12:28 daniel slapd[17757]: connection_resched: attempting
>> closing conn=342 sd=14
>> Sep 9 17:12:28 daniel slapd[17757]: connection_close: conn=342 sd=14
>> Anyone have any ideas? Thanks
>> John
>
>
John Von Essen (john@essenz.com)
President, Essenz Consulting (www.essenz.com)
Phone: (800) 248-1736
Fax: (800) 852-3387
Received on Thu Sep 09 2004 - 18:09:58 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT