[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ldap && squid authentication

Am Montag, den 14. M?rz hub Gavin McCullagh folgendes in die Tasten:

Hi!

[...]
> auth_param basic program 
> /usr/lib/squid/ldap_auth -Z -D cn=teachers -b ou=People,dc=skole,dc=skolelinux,dc=no  ldap

What should the  '-D cn=teachers' be good for?
Without a password this isn't very helpfull if I'm right.
IIRC squid will use your user-dn and the password to bind against LDAP.

[...]
> The painful bit which took me a while to figure out was the "-Z" in the
> ldap_auth line.  This is tells ldap_auth it to TLS encrypt the LDAP
> connection.  If you don't do this you just get ERR or no response from
> ldap_auth which is tremendously helpful.  

The OK/ERR response is interpreted by squid, so real error messages
would not be that good. strace might have been helpfull.

> The above of course is for squid on tjener to contact ldap on tjener.  The
> ldap on the program line could be changed to say 10.0.2.2 or tjener.intern
> for the firewall to see it.

No.
You have to use "ldap" as hostname, if you want to connect via SSL to
the LDAP server.
You may want to use -ZZ instead of -Z to enforce TLS, so the connection
will fail, if SSL could not be used.

> I'm not an expert on this type of encryption
> but do I presume it is secure enough for this use?

It's OK.

Ciao
Max
-- 
|           |                 Follow the white penguin.
|  |\/|  |  |-----------------------------------------------------------.
|  |  |/\|  |  Rechnerbetrieb Mathematik  |   Meine Baustellen:  TSM    |
|           |  Universitaet Paderborn     |   Hostmaster, Linux, LDAP   |
Reply to: