RE: [squid-users] RE: User with Chinese LDAP CN does not work

From: Huang, David <David.Huang@dont-contact.us>
Date: Tue, 27 Jul 2004 15:29:40 +0800

Hello,

For users with Chinese LDAP CN name in the windows 2000 AD, I tried squid_ldap_auth in the commmand line, but it does not work, I guess this is not a problem with IE setting,

auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=mtuzhuhai,dc=com" -D "cn
=zpc9998t,ou=it,dc=mtuzhuhai,dc=com" -w abcdefg -f "(&(sAMAccountName=%s)(obje
ctclass=user))" -h 53.12.2.13 -p 389 -s sub -P
yke0155 secretpassword
ERR

Notes:

user name yke0155 has a Chinese LDAP CN name.

Thanks

David

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: 2004Äê7ÔÂ26ÈÕ 14:49
To: Huang, David
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] RE: User with Chinese LDAP CN does not work

On Mon, 26 Jul 2004, Huang, David wrote:

> 1) user has to enter username (UPN) and password I tried to use
> sAMAccountName, instead of userPrincipalName, it works fine in the
> command line for squid_ldap_auth, but NOT for using it in the
> configuration file. I dont know why!

If it works from the command line then it must work from squid.conf as
well. Make sure you use the exact same line in both.

> It is possible for the use do not need to enter the username and
> password, I mean it take the user name from system (IE?)

Not automatically in "Basic" authentication. The closest you have here is
the ability to have MSIE (and most other browsers) save the entered
password.

If you want fully transparent authentication then look into NTLM
authentication via Samba-3. This is the "Microsoft Integrated Login"
mechanism also supported by MS ISA and IIS.

> 2) users with Chinese CN does not work.
>
> For users with Chinese CN and displayName in the windows 2000 AD,
> squid_ldap_auth will not work even in the comman line. It is a bug or
> I need more configuration.

Probably LDAP and your browser does not agree on what encoding to use for
the user name. If I am not mistaken LDAP uses UTF-8.

Please use "log_mime_hdrs" to inspect what your browser is sending. What
you are looking for is the "Proxy-Autorization" header which carries the
login and password in base64 encoding.

Regards
Henrik
Received on Tue Jul 27 2004 - 02:47:40 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:02 MDT