[squid-users] Squid client(squid_ldap_auth) dont send certificate to ldap server from nattapon viroonsri on 2005-09-18 (squid-users)

From: nattapon viroonsri <nattaponv@dont-contact.us>
Date: Mon, 19 Sep 2005 05:50:41 +0000

OS: Red Hat Enterprise Linux 4 update 1
squid version: squid-STABLE9-7
patch for squid_ldap_auth :
squid-2.5.STABLE10-ldap_auth-U.patch
squid-2.5.STABLE10-ldap_auth-U.patch

OpenLdap server: rhel4.example.com
Squid server: nattapon.example.com

### squid server (nattapon.example.com)
from command 'ps faux' it show that squid start 'squid_ldap_auth' with
user squid priviledge

/etc/passwd
squid:x:23:23::/var/spool/squid:/bin/bash

/var/spool/squid/ldaprc
HOST rhel4.example.com
BASE o=mycompany
TLS_REQCERT demand
TLS_KEY /etc/openldap/certs/cluster1.key
TLS_CERT /etc/openldap/certs/cluster1.crt
TLS_CACERT /etc/openldap/certs/demoCA/cacert.pem

When i integrate squid_ldap_auth with squid by put following entry in
/etc/squid/squid.conf like this
auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -Z -b
"o=mycompany" -D "cn=manager,o=mycompany " -w "secret" -f "cn=%s"
rhel4.example.com
user cannot authenticate correctly

But When i issue ldapsearch with starttls or squid_ldap_auth , both can
authenticate successful
su - squid
ldapsearch -x -ZZ -D cn=user1 -w password
echo "user1 password " | /usr/lib/squid/squid_ldap_auth -Z -v 3 -D
cn=manager,o=mycompany -w secret -b o=mycompany -f 'cn=%s'
rhel4.example.com

from rhel4.example.com( ldap server ) Debug show that it can not verify
client cert when user authen via web browser
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate s3_srvr.c:1993

From ldapsearch , squid_ldap_auth command line , both can authenticate
correctly but after i integrate squid_ldap_auth into squid it look like
squid dont look into /var/spool/squid/ldaprc to send client certificate

So i modify "/etc/openldap/slapd.conf" change "TLSVerifyClient demand" to
"TLSVerifyClient never"
then user can authenticate correctly with ldap server

So, There have any way to tell squid to send client certificate to ldap
server ?

Regards,

Nattapon

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Received on Sun Sep 18 2005 - 23:50:44 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT