Joe,
I eventually got it to work. Had to configure OpenLDAP to allow bind_v2.
I am running squid 2.4 and I dont think my version of squid_ldap_auth supports a flag for doing v3 protocol. Also, I don't seem to have an "ldap_auth".
-john
On Sep 9, 2004, at 7:48 PM, Joseph Rinckey wrote:
John, I'm still learning so this may or may not help you. I had a simialr problem only I used ldap_auth not squid_ldap_auth. Anyway, in order to get my squid to work with OpenLDAP I had to use the -h (host) -p (port) and -v (protocol version) options.
Here is what I have in my squid.conf:
auth_param basic program /usr/lib/squid/ldap_auth -b ou=people,dc=pineriver,dc=k12,dc=mi,dc=us -s sub -h 192.168.0.13 -p 389 -v 3 -f uid=%s
As you might have read from one of my other posts squid is running slow for me and this might be why, I don't know what is causing it yet. It's worth a shot though!
Hope that helps,
Joseph Rinckey
John Von Essen wrote:After doing lots of googling, I am still coming up empty. Here is my problem:
We have BEEN running squid_ldap_auth against Netscape Directory server. We have switched to an OpenLDAP server v2.2.15 and can no longer successfully authenticate for squid proxy server using squid_ldap_auth.
In squid.conf:
authenticate_program /usr/local/sbin/squid_ldap_auth -b o=eastern.edu -f uid=%s ldapserver.domain.com Example user entry in OpenLDAP on ldapserver.domain.com:
dn: uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu
cn: Bob Smith
givenName: Bob
sn: Smith
uid: bob
userPassword:: ABCXYZ
mail: [EMAIL PROTECTED]
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
Where ABCXYZ is the base64 encoded cleartext password.
I have the following acl's in my slapd.conf:
access to attrs=userPassword
by * auth
access to *
by * read
The above is to prevent anonymous from seeing passwords. Given the above, when I try to run squid_ldap_auth by hand for uid/pass for "bob" I always get ERR. Below is some log level 1 data from openldap log. It looks like it is able to connect, it finds the DN for uid=bob using an anonymous bind, it then binds using bob's dn, but then some errors.
Sep 9 17:12:25 daniel slapd[17757]: connection_get(14): got connid=341
Sep 9 17:12:25 daniel slapd[17757]: connection_read(14): checking for input on id=341
Sep 9 17:12:25 daniel slapd[17757]: ber_get_next on fd 14 failed errno=11 (Resource temporarily unavailable)
Sep 9 17:12:25 daniel slapd[17757]: do_search
Sep 9 17:12:25 daniel slapd[17757]: >>> dnPrettyNormal: <o=eastern.edu>
Sep 9 17:12:25 daniel slapd[17757]: <<< dnPrettyNormal: <o=eastern.edu>, <o=eastern.edu>
Sep 9 17:12:25 daniel slapd[17757]: ==> limits_get: conn=341 op=0 dn="[anonymous]"
Sep 9 17:12:25 daniel slapd[17757]: => bdb_search
Sep 9 17:12:25 daniel slapd[17757]: bdb_dn2entry("o=eastern.edu")
Sep 9 17:12:25 daniel slapd[17757]: search_candidates: base="o=eastern.edu" (0x00000001) scope=2
Sep 9 17:12:25 daniel slapd[17757]: => bdb_dn2idl( "o=eastern.edu" )
Sep 9 17:12:25 daniel slapd[17757]: => bdb_equality_candidates (objectClass)
Sep 9 17:12:25 daniel slapd[17757]: => key_read
Sep 9 17:12:25 daniel slapd[17757]: <= bdb_index_read: failed (-30990)
Sep 9 17:12:25 daniel slapd[17757]: <= bdb_equality_candidates: id=0, first=0, last=0
Sep 9 17:12:25 daniel slapd[17757]: => bdb_equality_candidates (uid)
Sep 9 17:12:25 daniel slapd[17757]: <= bdb_equality_candidates: (uid) index_param failed (18)
Sep 9 17:12:25 daniel slapd[17757]: bdb_search_candidates: id=-1 first=1 last=5619
Sep 9 17:12:28 daniel slapd[17757]: bdb_search: 1 does not match filter
...
Sep 9 17:12:28 daniel slapd[17757]: bdb_search: 5619 does not match filter
Sep 9 17:12:28 daniel slapd[17757]: send_ldap_result: conn=342 op=0 p=3
Sep 9 17:12:28 daniel slapd[17757]: send_ldap_response: msgid=1 tag=101 err=0
Sep 9 17:12:28 daniel slapd[17757]: connection_get(14): got connid=342
Sep 9 17:12:28 daniel slapd[17757]: connection_read(14): checking for input on id=342
Sep 9 17:12:28 daniel slapd[17757]: ber_get_next on fd 14 failed errno=11 (Resource temporarily unavailable)
Sep 9 17:12:28 daniel slapd[17757]: do_bind
Sep 9 17:12:28 daniel slapd[17757]: >>> dnPrettyNormal: <uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu>
Sep 9 17:12:28 daniel slapd[17757]: <<< dnPrettyNormal: <uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu>, <uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu>
Sep 9 17:12:28 daniel slapd[17757]: do_bind: version=2 dn="uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu" method=128
Sep 9 17:12:28 daniel slapd[17757]: send_ldap_result: conn=342 op=1 p=2
Sep 9 17:12:28 daniel slapd[17757]: send_ldap_response: msgid=2 tag=97 err=2
Sep 9 17:12:28 daniel slapd[17757]: connection_get(14): got connid=342
Sep 9 17:12:28 daniel slapd[17757]: connection_read(14): checking for input on id=342
Sep 9 17:12:28 daniel slapd[17757]: ber_get_next on fd 14 failed errno=0 (Error 0)
Sep 9 17:12:28 daniel slapd[17757]: connection_read(14): input error=-2 id=342, closing.
Sep 9 17:12:28 daniel slapd[17757]: connection_closing: readying conn=342 sd=14 for close
Sep 9 17:12:28 daniel slapd[17757]: connection_close: deferring conn=342 sd=14
Sep 9 17:12:28 daniel slapd[17757]: do_unbind
Sep 9 17:12:28 daniel slapd[17757]: connection_resched: attempting closing conn=342 sd=14
Sep 9 17:12:28 daniel slapd[17757]: connection_close: conn=342 sd=14
Anyone have any ideas? Thanks
John
John Von Essen ([EMAIL PROTECTED]) President, Essenz Consulting (www.essenz.com) Phone: (800) 248-1736 Fax: (800) 852-3387
