Re: [squid-users] Squid client(squid_ldap_auth) dont send certificate to ldap server

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 20 Sep 2005 18:12:55 +0200 (CEST)

Please keep discussion on the mailinglist.

On Tue, 20 Sep 2005, nattapon viroonsri wrote:

> > is there any warnings in cache.log?
> >
> Could not Activate TLS connection
> 2005/09/19 15:05:07| WARNING: basicauthenticator #1 (FD 6) exited

And you are absolutely sure it works when running squid_ldap_auth from the
command line?

The reason I ask is because the TLS support in squid_ldap_auth in
2.5.STABLE10 is known to be broken, always reporting this error..

   http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE10-LDAP_TLS

> From testing, I remove $HOME/ldaprc then run squid_ldap_auth from
> command line ,Ldap server told that cannot verify client certificate ,
> if i restore $HOME/ldaprc , squid_ldap_auth know where to get client
> certificate to send ldap server So it can authenticate successful
>
> It look like squid_ldap_auth have no builtin ldap client So it use the
> same config as "ldapsearch" utility ($HOME/ldaprc) ?

squid_ldap_auth uses the OpenLDAP C-API, quite much in the same manner as
the OpenLDAP tools (ldapsearch etc).

Ah.. here is a hint. You placed .ldaprc in $HOME. Quite likely the
environment variable $HOME is not what you expect then Squid is running as
a daemon. Try specifying the same in /etc/ldap.conf instead. Alternatively
you can try using the following small wrapper script around
squid_ldap_auth making sure $HOME is set properly:

   #!/bin/sh
   HOME=/home/squid
   export HOME
   exec /path/to/squid_ldap_auth "$@"

(change /home/squid to the home of your cache_effective_user)

Regards
Henrik
Received on Tue Sep 20 2005 - 10:12:57 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT