cannot auth win 2003 domain with squid ldap_auth

140 pts.
Tags:
Fedora Linux
LDAP
Proxy servers
Squid
Windows Server 2003
Hi, I was trying to setup squid on fc7. Version 2.6.STABLE16. I have a domain setup in win 2003 server with about 20 users (abcgroup.local), the IP address of the domain controller being 192.168.10.3. I have a group(abcgroup), which has 3 companys.(Cmp1, Cmp2, Cmp3) Now, I am setting all this up assuming I could use the squid_ldap_auth param to query the domain to authenticate the user without installing a ldap server on the DC. I tried to research on openLdap but I am not sure if I sould be using it on the win server. I am pretty new to using server 2003 and using squid for the first time. I'm not quite sure if the domain controller should have ldap setup by default OR if I will have to install it (openLdap) to get the squid proxy to authenticate the user. (I am trying a transparent auth so that I could view the logs in SARG such that I know which user logged in and accessed which web site) This is the authentication part of squid.conf. auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=abcgroup,dc=local" -D "cn=Administrator,cn=Users,dc=abcgroup,dc=local" -w "password" -f sAMAccountName=%s -h 192.168.10.3 auth_param basic children 5 auth_param basic realm Vanderpolgroup.local auth_param basic credentialsttl 5 minutes I tried to use the squid_ldap_auth as a terminal command but it gave me an output. ERR everytime I hit the return key. Which is why, I am assuming that I cannot access the domain. I also tried using the ldap browser which does not display the entire tree that I have setup on the DC. I don't know if this information is enough. But if anyone can help me out it will be great. I am doing this as part of a school project. ==== Rest of the config ===== acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src 192.168.10.0/24 acl custom_allowed_domains dstdomain "/etc/squid/allowed_domains.acl" http_access allow custom_allowed_domains acl custom_denied_domains dstdomain "/etc/squid/denied_domains.acl" http_access deny custom_denied_domains http_access allow our_networks http_access allow localhost http_access deny all icp_access allow all http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin ? cache deny QUERY cache_mem 256 MB maximum_object_size_in_memory 128 KB cache_dir ufs /cache 70000 32 512 maximum_object_size 32768 KB cache_swap_low 90 cache_swap_high 95 access_log /var/log/squid/access.log squid logfile_rotate 15 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_mgr abc@abc.com coredump_dir /var/spool/squid
ASKED: February 22, 2008  12:59 AM
UPDATED: February 22, 2008  6:43 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

looking through this site:

<a href=”http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory”>http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory</a>

your authentication config looks good. squid should be able to authenticate directly with AD. You should not have to install anything else. My first question for you to look into is go into active directory users and computers. find the “Administrator” account that you are using to do the authentication. Is that user in the “USERS” organizational unit? that is where your config for squid is looking for it:

cn=Users

please make sure that it is there and that it has a capital A at the beginning. These configs are picky and capitalization counts. If it is not there then change your squid config to match it’s location.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Sheldon.sc
    It is under the USER OU. I have the abcgroup.local which has Computers, Domain Controllers, Lostn Found, System, USERS And the Administrator is under USERS. I tried a direct seach with the following command /usr/lib/squid/squid_ldap_auth -R -b "dc=abcgroup,dc=local" -D "cn=Administrator,cn=Users,dc=abcgroup,dc=local" -h 192.168.10.3 I typed in the username and the password. It gave me ERR Sccess So its giving me an ERR and Success which again I dont know what it means?! And if I try /usr/lib/squid/squid_ldap_auth -R -b "dc=abcgroup,dc=local" -D "cn=Administrator,cn=Users,dc=abcgroup,dc=local" -f sAMAccountName=%s -h 192.168.10.3 and then typed the username and password it gives me an error -->squid_ldap_auth: WARNING, LDAP search error 'Operation Error' if I try it with the -w"password!" it gives me an err saying: bash: !": event not found So for some reason squid cannot recognise the ! symbol So, I dont know if i am typing the search string incorrectly????
    140 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following