Re: [squid-users] problem with squid_ldap_auth and OpenLDAP

From: Joseph Rinckey <jrinckey@dont-contact.us>
Date: Thu, 09 Sep 2004 19:48:08 -0400

John, I'm still learning so this may or may not help you. I had a
simialr problem only I used ldap_auth not squid_ldap_auth. Anyway, in
order to get my squid to work with OpenLDAP I had to use the -h (host)
-p (port) and -v (protocol version) options.

Here is what I have in my squid.conf:

auth_param basic program /usr/lib/squid/ldap_auth -b
ou=people,dc=pineriver,dc=k12,dc=mi,dc=us -s sub -h 192.168.0.13 -p 389
-v 3 -f uid=%s

As you might have read from one of my other posts squid is running slow
for me and this might be why, I don't know what is causing it yet. It's
worth a shot though!

Hope that helps,

Joseph Rinckey

John Von Essen wrote:
> After doing lots of googling, I am still coming up empty. Here is my
> problem:
>
> We have BEEN running squid_ldap_auth against Netscape Directory server.
> We have switched to an OpenLDAP server v2.2.15 and can no longer
> successfully authenticate for squid proxy server using squid_ldap_auth.
>
> In squid.conf:
> authenticate_program /usr/local/sbin/squid_ldap_auth -b o=eastern.edu -f
> uid=%s ldapserver.domain.com
>
> Example user entry in OpenLDAP on ldapserver.domain.com:
> dn: uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu
> cn: Bob Smith
> givenName: Bob
> sn: Smith
> uid: bob
> userPassword:: ABCXYZ
> mail: bob@eastern.edu
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
>
> Where ABCXYZ is the base64 encoded cleartext password.
>
> I have the following acl's in my slapd.conf:
> access to attrs=userPassword
> by * auth
> access to *
> by * read
>
> The above is to prevent anonymous from seeing passwords. Given the
> above, when I try to run squid_ldap_auth by hand for uid/pass for "bob"
> I always get ERR. Below is some log level 1 data from openldap log. It
> looks like it is able to connect, it finds the DN for uid=bob using an
> anonymous bind, it then binds using bob's dn, but then some errors.
>
> Sep 9 17:12:25 daniel slapd[17757]: connection_get(14): got connid=341
> Sep 9 17:12:25 daniel slapd[17757]: connection_read(14): checking for
> input on id=341
> Sep 9 17:12:25 daniel slapd[17757]: ber_get_next on fd 14 failed
> errno=11 (Resource temporarily unavailable)
> Sep 9 17:12:25 daniel slapd[17757]: do_search
> Sep 9 17:12:25 daniel slapd[17757]: >>> dnPrettyNormal: <o=eastern.edu>
> Sep 9 17:12:25 daniel slapd[17757]: <<< dnPrettyNormal:
> <o=eastern.edu>, <o=eastern.edu>
> Sep 9 17:12:25 daniel slapd[17757]: ==> limits_get: conn=341 op=0
> dn="[anonymous]"
> Sep 9 17:12:25 daniel slapd[17757]: => bdb_search
> Sep 9 17:12:25 daniel slapd[17757]: bdb_dn2entry("o=eastern.edu")
> Sep 9 17:12:25 daniel slapd[17757]: search_candidates:
> base="o=eastern.edu" (0x00000001) scope=2
> Sep 9 17:12:25 daniel slapd[17757]: => bdb_dn2idl( "o=eastern.edu" )
> Sep 9 17:12:25 daniel slapd[17757]: => bdb_equality_candidates
> (objectClass)
> Sep 9 17:12:25 daniel slapd[17757]: => key_read
> Sep 9 17:12:25 daniel slapd[17757]: <= bdb_index_read: failed (-30990)
> Sep 9 17:12:25 daniel slapd[17757]: <= bdb_equality_candidates: id=0,
> first=0, last=0
> Sep 9 17:12:25 daniel slapd[17757]: => bdb_equality_candidates (uid)
> Sep 9 17:12:25 daniel slapd[17757]: <= bdb_equality_candidates: (uid)
> index_param failed (18)
> Sep 9 17:12:25 daniel slapd[17757]: bdb_search_candidates: id=-1
> first=1 last=5619
> Sep 9 17:12:28 daniel slapd[17757]: bdb_search: 1 does not match filter
> ...
> Sep 9 17:12:28 daniel slapd[17757]: bdb_search: 5619 does not match filter
> Sep 9 17:12:28 daniel slapd[17757]: send_ldap_result: conn=342 op=0 p=3
> Sep 9 17:12:28 daniel slapd[17757]: send_ldap_response: msgid=1 tag=101
> err=0
> Sep 9 17:12:28 daniel slapd[17757]: connection_get(14): got connid=342
> Sep 9 17:12:28 daniel slapd[17757]: connection_read(14): checking for
> input on id=342
> Sep 9 17:12:28 daniel slapd[17757]: ber_get_next on fd 14 failed
> errno=11 (Resource temporarily unavailable)
> Sep 9 17:12:28 daniel slapd[17757]: do_bind
> Sep 9 17:12:28 daniel slapd[17757]: >>> dnPrettyNormal:
> <uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu>
> Sep 9 17:12:28 daniel slapd[17757]: <<< dnPrettyNormal:
> <uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu>,
> <uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu>
> Sep 9 17:12:28 daniel slapd[17757]: do_bind: version=2
> dn="uid=bob,ou=college,ou=staff,ou=people,o=eastern.edu" method=128
> Sep 9 17:12:28 daniel slapd[17757]: send_ldap_result: conn=342 op=1 p=2
> Sep 9 17:12:28 daniel slapd[17757]: send_ldap_response: msgid=2 tag=97
> err=2
> Sep 9 17:12:28 daniel slapd[17757]: connection_get(14): got connid=342
> Sep 9 17:12:28 daniel slapd[17757]: connection_read(14): checking for
> input on id=342
> Sep 9 17:12:28 daniel slapd[17757]: ber_get_next on fd 14 failed
> errno=0 (Error 0)
> Sep 9 17:12:28 daniel slapd[17757]: connection_read(14): input error=-2
> id=342, closing.
> Sep 9 17:12:28 daniel slapd[17757]: connection_closing: readying
> conn=342 sd=14 for close
> Sep 9 17:12:28 daniel slapd[17757]: connection_close: deferring
> conn=342 sd=14
> Sep 9 17:12:28 daniel slapd[17757]: do_unbind
> Sep 9 17:12:28 daniel slapd[17757]: connection_resched: attempting
> closing conn=342 sd=14
> Sep 9 17:12:28 daniel slapd[17757]: connection_close: conn=342 sd=14
>
> Anyone have any ideas? Thanks
> John
>
Received on Thu Sep 09 2004 - 17:59:38 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT