[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem when trying to authenticate squid with openldap server



Am Wed, 24 Nov 2010 08:59:05 -0300
schrieb Bruno Lamps <lampss@gmail.com>:

> Hi everybody,
> 
> I spent some days reading the ebook "Ldap for rocket scientists" (
> zytrax.com/books/ldap/) and I've succesfully (I think it's a success
> =3 ) created a VM with debian lenny and openldap running.
> 
> After that, I created another VM, running IPfire (www.ipfire.org)
> distro, this will be the firewall of the SMB I'm working for. Now I'm
> trying to authenticate the squid proxy, installed in IPFire distro,
> integrating it with my openldap server. A screenshot of my IPFire's
> webGUI and phpldapadmin webGUI can be seen at this topic:
> http://forum.ipfire.org/index.php?topic=3404.0
> 
> But the authentication isn't running, the browser using squid proxy
> keeps asking me for username and password. Suspecting that the webGUI
> could be making some mistake in squid config file, I started editing
> it's parameters manually. Right now, the ldap authentication line in
> my squid.conf looks like this:
> 
> *auth_param basic program /usr/lib/squid/squid_ldap_auth -D
> "cn=admin,dc=pisolar" -w "mypassword" -b "ou=usuarios,dc=pisolar" -h
> 192.168.1.7 -v 3*
> *
> *
> *cn=admin,dc=pisolar *= my root user.
> *
> *
> *ou=usuarios,dc=pisolar *= the OU where my users are stored.
> *
> *
> I opened slapd in debug mode (slapd -d 255) in my openldap
> debian-powered VM, and this is the text shown when I try to
> authenticate in my browser:
[...]
>
> => bdb_dn2id("ou=usuarios,dc=pisolar")
> <= bdb_dn2id: got id=0xb
> => bdb_dn2id("uid=lamps,ou=usuarios,dc=pisolar")
> <= bdb_dn2id: got id=0x10
> entry_decode: "uid=lamps,ou=usuarios,dc=pisolar"
> <= entry_decode(uid=lamps,ou=usuarios,dc=pisolar)
> => access_allowed: auth access to "uid=lamps,ou=usuarios,dc=pisolar"
> "userPassword" requested
> => acl_get: [1] attr userPassword
> => slap_access_allowed: result not in cache (userPassword)
> => acl_mask: access to entry "uid=lamps,ou=usuarios,dc=pisolar", attr
> "userPassword" requested
> => acl_mask: to value by "", (=0)
> <= check a_dn_pat: cn=admin,dc=pisolar
> <= check a_dn_pat: anonymous
> <= acl_mask: [2] applying none(=0) (stop)
> <= acl_mask: [2] mask: none(=0)
> => slap_access_allowed: auth access denied by none(=0)

[...]

check your access rules, as access to attribute usrPassword is denied,
read the few lines above.
 
> I tried to set a lot of different config syntaxes at squid.conf, but
> it always come to the same kind of problem at slapd debug: After
> reading the user CN and his password, slapd fails to read something
> else (ldap_read: want=8 error=Resource temporarily unavailable) and
> then it doesn't authenticates.
> 
> What I'm doing wrong? Is there any problem with my openldap server?
> With squid? =(

I think, both are misconfigured.
The module squid_ldap_auth requires a parameter -u, in order to define
the attribute type, which can be either uid or cn.

-Dieter 

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E