[squid-users] passwordattr option in squid_ldap_auth

From: Ross Davis <rdavis@dont-contact.us>
Date: Thu, 03 Aug 2006 14:26:35 -0400

I am having a problem with the -U passwordattr option in squid_ldap_auth
("Squid LDAP authentication helper"). Here is what I am trying to do:

1) Bind to LDAP server with a hard-coded user/pass (i.e., using -D
binddn -w password)
2) Look up a given user's record using a filter (i.e., -f filter)
3) authenticate the user with a password attribute specified by me
(i.e., -U passwordattr)

Looking at /var/log/messages, LDAP tells me that:

a) binding as the hard-coded user is successful
b) searching for the given user's record is successful
c) performing the compare on the passwordattr of the given user is
successful
d) then squid_ldap_auth tries to bind as the given user.
e) binding as the given user fails and squid_ldap_auth returns ERR

I do not understand why squid_ldap_auth is trying to bind as the given
user. After step (c), shouldn't the process be complete? The compare is
successful so shouldn't I get an OK?

Thanks,
Ross

PS - here is my command line where 'testuser' is the hard-coded user,
and the passwordattr is 'OXGroupID'

squid_ldap_auth \
         -b "ou=Users,ou=OxObjects,dc=example,dc=com" \
         -f "(&(objectClass=*)(uid=%s))" \
         -d \
         -v 3 \
         -U OXGroupID \
         -D "uid=testuser,ou=Users,ou=OxObjects,dc=example,dc=com" \
         -w testpass \
         localhost
Received on Thu Aug 03 2006 - 12:26:53 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Sep 01 2006 - 12:00:01 MDT