Question

  Asked: Feb 22 2008   0:59 AM GMT
  Asked by: Sheldon.sc


cannot auth win 2003 domain with squid ldap_auth


Fedora Linux, Proxy servers, Squid, LDAP, Windows Server 2003

Hi, I was trying to setup squid on fc7. Version 2.6.STABLE16. I have a
domain setup in win 2003 server with about 20 users (abcgroup.local),
the IP address of the domain controller being 192.168.10.3. I have a
group(abcgroup), which has 3 companys.(Cmp1, Cmp2, Cmp3) Now, I am
setting all this up assuming I could use the squid_ldap_auth param to
query the domain to authenticate the user without installing a ldap
server on the DC. I tried to research on openLdap but I am not sure if
I sould be using it on the win server.

I am pretty new to using server 2003 and using squid for the first
time. I'm not quite sure if the domain controller should have ldap
setup by default OR if I will have to install it (openLdap) to get the
squid proxy to authenticate the user. (I am trying a transparent auth
so that I could view the logs in SARG such that I know which user
logged in and accessed which web site)


This is the authentication part of squid.conf.


auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b
"dc=abcgroup,dc=local" -D
"cn=Administrator,cn=Users,dc=abcgroup,dc=local" -w "password" -f
sAMAccountName=%s -h 192.168.10.3
auth_param basic children 5
auth_param basic realm Vanderpolgroup.local
auth_param basic credentialsttl 5 minutes


I tried to use the squid_ldap_auth as a terminal command but it gave
me an output. ERR everytime I hit the return key. Which is why, I am
assuming that I cannot access the domain. I also tried using the ldap
browser which does not display the entire tree that I have setup on
the DC.


I don't know if this information is enough. But if anyone can help me
out it will be great. I am doing this as part of a school project.
====
Rest of the config
=====
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.10.0/24
acl custom_allowed_domains dstdomain "/etc/squid/allowed_domains.acl"
http_access allow custom_allowed_domains
acl custom_denied_domains dstdomain "/etc/squid/denied_domains.acl"
http_access deny custom_denied_domains
http_access allow our_networks
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_mem 256 MB
maximum_object_size_in_memory 128 KB
cache_dir ufs /cache 70000 32 512
maximum_object_size 32768 KB
cache_swap_low 90
cache_swap_high 95
access_log /var/log/squid/access.log squid
logfile_rotate 15
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr abc@abc.com
coredump_dir /var/spool/squid

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window

Answer Wiki (Improve, edit or add to this answer)


 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0



looking through this site:

http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory

your authentication config looks good. squid should be able to authenticate directly with AD. You should not have to install anything else. My first question for you to look into is go into active directory users and computers. find the "Administrator" account that you are using to do the authentication. Is that user in the "USERS" organizational unit? that is where your config for squid is looking for it:

cn=Users

please make sure that it is there and that it has a capital A at the beginning. These configs are picky and capitalization counts. If it is not there then change your squid config to match it's location.
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Linux, DataCenter and Networking.

Looking for relevant Linux Whitepapers? Visit the SearchEnterpriseLinux.com Research Library.


Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

Sheldon.sc  |   Feb 22 2008  6:43PM GMT

It is under the USER OU.
I have the
abcgroup.local which has Computers, Domain Controllers, Lostn Found, System, USERS
And the Administrator is under USERS.

I tried a direct seach with the following command

/usr/lib/squid/squid_ldap_auth -R -b “dc=abcgroup,dc=local” -D
“cn=Administrator,cn=Users,dc=abcgroup,dc=local” -h 192.168.10.3
I typed in the username and the password. It gave me ERR Sccess
So its giving me an ERR and Success which again I dont know what it means?!

And if I try
/usr/lib/squid/squid_ldap_auth -R -b “dc=abcgroup,dc=local”
-D “cn=Administrator,cn=Users,dc=abcgroup,dc=local” -f sAMAccountName=%s -h 192.168.10.3

and then typed the username and password it gives me an error
–>squid_ldap_auth: WARNING, LDAP search error ‘Operation Error’

if I try it with the -w”password!” it gives me an err saying: bash: !”: event not found
So for some reason squid cannot recognise the ! symbol

So, I dont know if i am typing the search string incorrectly????