[squid-users] Colin Farley is out of the office.
I will be out of the office starting 03/13/2009 and will not return until 03/29/2009. I will respond to your message when I return.
[squid-users] squid_ldap_auth and squid_ldap_group redundancy
Is there anyway to have these auth helpers use more than one domain controller for lookups so that if one ldap server doesn't respond it tries another? Thanks, Colin Farley
Re: [squid-users] Too few authenticator processes are running
Once you run the command you need to input username and password: $ /usr/lib/squid/squid_ldap_auth -b dc=domain,dc=com -D cn=squid,ou=is,dc=domain,dc=com -w squid ldapserver user password Matt Alexander [EMAIL PROTECTED] .com To squid-users@squid-cache.org 11/15/2005 09:45 cc AM Subject Re: [squid-users] Too few authenticator processes are running Christoph Haas wrote: On Tuesday 15 November 2005 04:06, Matt Alexander wrote: In the cache.log, we get squid restarting about once a minute: (squid_ldap_auth): error.c:221: ldap_parse_result: Assertion `r != ((void *)0)' failed. The external authenticator (squid_ldap_auth) has crashed. Try running it from the command line to find out why it does that. Perhaps something has changed on the LDAP server - try to look at the queries and replies through tcpdump/ethereal. After shutting down squid to isolate the network traffic, I ran the following command: /usr/lib/squid/squid_ldap_auth -b dc=domain,dc=com -D cn=squid,ou=is,dc=domain,dc=com -w squid ldapserver squid_ldap_auth just sits there and tcpdump doesn't show any new connections to the ldapserver. Hitting the Return key prints out ERR on the screen and I must ctrl-c to get back to my console. Any ideas why squid_ldap_auth is failing to do anything? Thanks, ~M
Fw: [squid-users] Re: squid_ldap_auth and Windows 2003 AD
I'm still having this problem and hope that someone might be able to point me in the right direction, below I have included more details: using squid_ldap_auth from command line to query 2003 DC: $ sudo /usr/local/squid/libexec/squid_ldap_auth -b dc=mydomain,dc=net -h 192.168.x.y -p 389 -D cn=Squid,ou=IT,ou=Users,ou=site1,ou=subcompany,dc=mydomain,dc=net -w password -f sAMAccountName=%s -d user.name password user filter 'sAMAccountName=user.name', searchbase 'dc=mydomain,dc=net' squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Success ^C $ sudo /usr/local/squid/libexec/squid_ldap_auth -b ou=subcompany,dc=mydomain,dc=net -h 192.168.x.y -p 389 -D cn=Squid,ou=IT,ou=Users,ou=site,ou=subcompany,dc=mydomain,dc=net -w password -f sAMAccountName=%s -d user.name password user filter 'sAMAccountName=user.name', searchbase 'subcompany,dc=mydomain,dc=net' attempting to authenticate user 'CN=user.name,OU=SystemAdmins,OU=IT,OU=Users,OU=site1,OU=subcompany,DC=mydomain,DC=net' OK ^C $ You can see above that I get ERR Success if I use the base of the domain for the base dn but it works fine if I specify an OU. If I do these queries on a Windows 2000 DC both are successful. I have tested squid_ldap_group and it behaves exactly the same. Any help is greatly appreciated. Thnaks, Colin - Forwarded by Colin Farley/COMPUBank on 11/15/2005 11:10 AM - Colin Farley [EMAIL PROTECTED] recenters.com To Derrick MacPherson 11/10/2005 02:32 [EMAIL PROTECTED], PMsquid-users@squid-cache.org cc Subject Re: [squid-users] Re: squid_ldap_auth and Windows 2003 AD Yes, I can in some cases. If I am querying windows 2003 DC and the base DN is the base of the domain (dn=domain,dn=lan) then I get the following: squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Success But if I specify an ou (ou=site1,dn=domain,dn=lan) then it works correctly. If I query a Windows 2000 DC the it works either way. Colin Hi Colin, I had a tough time with getting the syntax, can you do command line lookups using squid_ldap_auth ? On Thu, 2005-11-10 at 11:29 -0600, Colin Farley wrote: Yes, I have. The searches are being performed by an authenticated user. Thanks, Colin Adam Aube [EMAIL PROTECTED] u To Sent by: news squid-users@squid-cache.org [EMAIL PROTECTED] cc rg Subject [squid-users] Re: squid_ldap_auth 11/10/2005 08:51 and Windows 2003 AD AM Colin Farley wrote: We have a few production squid proxy servers running various STABLE versions of squid 2.5 and are encountering some issues as we upgrade our Domain controllers from windows 2000 to windows 2003. The proxy servers query the LDAP directory for user access control. Ideally, we would like all proxy servers to use a base dn that allows them to search the entire domain (dn=domain,dn=lan), when querying Windows 2000 domain controllers this works perfectly. However, when we point these proxy servers to Windows 2003 domain controllers for LDAP queries squid_ldap_auth fails. I have found that if I specify an ou for the base dn it works fine (ou=site1,dn=domain,dn=lan). So, it seems that Windows 2003 domain controllers have added security that stops searches beginning from the base of the domain and searches must start within an ou. Have you configured squid_ldap_auth to bind using a user account? Adam
Re: Fw: [squid-users] Re: squid_ldap_auth and Windows 2003 AD
No, I have not since the searches are not anonymous and it works if I specify an ou: -D cn=Squid,ou=IT,ou=Users,ou=site1,ou=subcompany,dc=mydomain,dc=net -w password tells squid_ldap_auth to authenticate with the specified account and password before doing searches. Thanks, Colin Serassio Guido [EMAIL PROTECTED] cmeconsulting.it To Colin Farley 11/15/2005 12:23 [EMAIL PROTECTED], PMsquid-users@squid-cache.org cc Subject Re: Fw: [squid-users] Re: squid_ldap_auth and Windows 2003 AD Hi, At 18.50 15/11/2005, Colin Farley wrote: I'm still having this problem and hope that someone might be able to point me in the right direction, below I have included more details: Do you have tried my suggestion ? http://support.microsoft.com/default.aspx?scid=326690 Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] squid_ldap_auth and Windows 2003 AD
Thanks for the reply. I had a look at the article and I don't think that it explains my situation. My squid_ldap_auth command points to a squid user and supplies a password so I am not doing anonymous searches. I think the fact that it works when a specify an OU means that it's not an authentication problem but rather a search restriction. Any thoughts are appreciated. Thanks, Colin Serassio Guido [EMAIL PROTECTED] cmeconsulting.it To Colin Farley 11/10/2005 01:35 [EMAIL PROTECTED], AMsquid-users@squid-cache.org cc Subject Re: [squid-users] squid_ldap_auth and Windows 2003 AD Hi, At 22.25 09/11/2005, Colin Farley wrote: So, it seems that Windows 2003 domain controllers have added security that stops searches beginning from the base of the domain and searches must start within an ou. Has anyone encountered this? Are there any fixes that anyone is aware of? Any help is greatly appreciated. Correct, look here: http://support.microsoft.com/default.aspx?scid=326690 Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Re: squid_ldap_auth and Windows 2003 AD
Yes, I have. The searches are being performed by an authenticated user. Thanks, Colin Adam Aube [EMAIL PROTECTED] u To Sent by: news squid-users@squid-cache.org [EMAIL PROTECTED] cc rg Subject [squid-users] Re: squid_ldap_auth 11/10/2005 08:51 and Windows 2003 AD AM Colin Farley wrote: We have a few production squid proxy servers running various STABLE versions of squid 2.5 and are encountering some issues as we upgrade our Domain controllers from windows 2000 to windows 2003. The proxy servers query the LDAP directory for user access control. Ideally, we would like all proxy servers to use a base dn that allows them to search the entire domain (dn=domain,dn=lan), when querying Windows 2000 domain controllers this works perfectly. However, when we point these proxy servers to Windows 2003 domain controllers for LDAP queries squid_ldap_auth fails. I have found that if I specify an ou for the base dn it works fine (ou=site1,dn=domain,dn=lan). So, it seems that Windows 2003 domain controllers have added security that stops searches beginning from the base of the domain and searches must start within an ou. Have you configured squid_ldap_auth to bind using a user account? Adam
Re: [squid-users] Re: squid_ldap_auth and Windows 2003 AD
Yes, I can in some cases. If I am querying windows 2003 DC and the base DN is the base of the domain (dn=domain,dn=lan) then I get the following: squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Success But if I specify an ou (ou=site1,dn=domain,dn=lan) then it works correctly. If I query a Windows 2000 DC the it works either way. Colin Hi Colin, I had a tough time with getting the syntax, can you do command line lookups using squid_ldap_auth ? On Thu, 2005-11-10 at 11:29 -0600, Colin Farley wrote: Yes, I have. The searches are being performed by an authenticated user. Thanks, Colin Adam Aube [EMAIL PROTECTED] u To Sent by: news squid-users@squid-cache.org [EMAIL PROTECTED] cc rg Subject [squid-users] Re: squid_ldap_auth 11/10/2005 08:51 and Windows 2003 AD AM Colin Farley wrote: We have a few production squid proxy servers running various STABLE versions of squid 2.5 and are encountering some issues as we upgrade our Domain controllers from windows 2000 to windows 2003. The proxy servers query the LDAP directory for user access control. Ideally, we would like all proxy servers to use a base dn that allows them to search the entire domain (dn=domain,dn=lan), when querying Windows 2000 domain controllers this works perfectly. However, when we point these proxy servers to Windows 2003 domain controllers for LDAP queries squid_ldap_auth fails. I have found that if I specify an ou for the base dn it works fine (ou=site1,dn=domain,dn=lan). So, it seems that Windows 2003 domain controllers have added security that stops searches beginning from the base of the domain and searches must start within an ou. Have you configured squid_ldap_auth to bind using a user account? Adam
[squid-users] squid_ldap_auth and Windows 2003 AD
We have a few production squid proxy servers running various STABLE versions of squid 2.5 and are encountering some issues as we upgrade our Domain controllers from windows 2000 to windows 2003. The proxy servers query the LDAP directory for user access control. Ideally, we would like all proxy servers to use a base dn that allows them to search the entire domain (dn=domain,dn=lan), when querying Windows 2000 domain controllers this works perfectly. However, when we point these proxy servers to Windows 2003 domain controllers for LDAP queries squid_ldap_auth fails. I have found that if I specify an ou for the base dn it works fine (ou=site1,dn=domain,dn=lan). So, it seems that Windows 2003 domain controllers have added security that stops searches beginning from the base of the domain and searches must start within an ou. Has anyone encountered this? Are there any fixes that anyone is aware of? Any help is greatly appreciated. Thanks, Colin
