[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem when trying to authenticate squid with openldap server



On Wednesday, 24 November 2010 12:59:05 Bruno Lamps wrote:

[snip irrelevent information]

> 
> *auth_param basic program /usr/lib/squid/squid_ldap_auth -D
> "cn=admin,dc=pisolar" -w "mypassword" -b "ou=usuarios,dc=pisolar" -h
> 192.168.1.7 -v 3*

Note that without a filter (-f option), this does DN construction, which may 
not be what you want ...

> *cn=admin,dc=pisolar *= my root user.


> *ou=usuarios,dc=pisolar *= the OU where my users are stored.

Please provide the exact DN of the user for which you are testing.

> *
> *
> I opened slapd in debug mode (slapd -d 255) in my openldap debian-powered
> VM, and this is the text shown when I try to authenticate in my browser:

I assume you tried to log in with username 'lamps'

> => acl_mask: access to entry "uid=lamps,ou=usuarios,dc=pisolar", attr
> "userPassword" requested
> => acl_mask: to value by "", (=0)
> <= check a_dn_pat: cn=admin,dc=pisolar
> <= check a_dn_pat: anonymous
> <= acl_mask: [2] applying none(=0) (stop)
> <= acl_mask: [2] mask: none(=0)
> => slap_access_allowed: auth access denied by none(=0)
> => access_allowed: no more rules
> send_ldap_result: conn=0 op=0 p=3
> send_ldap_result: err=49 matched="" text=""
> send_ldap_response: msgid=1 tag=97 err=49

It seems your ACLs are not sufficient for *any* simple binds to this DN.

Please test the following on your LDAP server:
$ ldapwhoami -x -D uid=lamps,ou=usuarios,dc=pisolar -W

Until this command works, please don't bother with anything related to squid.

> I tried to set a lot of different config syntaxes at squid.conf, but it
> always come to the same kind of problem at slapd debug: After reading the
> user CN and his password, slapd fails to read something else (ldap_read:
> want=8 error=Resource temporarily unavailable) and then it doesn't
> authenticates.
> 
> What I'm doing wrong? Is there any problem with my openldap server?

Did you ever test simple binds to your LDAP server as these users except from 
squid? It doesn't seem like it ...

Regards,
Buchan