[wellylug] Squid LDAP - authentication denied error... SOS

David Harrison david.harrison at stress-free.co.nz
Tue Feb 5 17:29:32 NZDT 2008 

Hi,
I have recently started having trouble getting Squid to authenticate  
proxy users to LDAP.
The weird thing is this all seemed to work fine as of yesterday and I  
am not sure what has changed.
I would really appreciate any pearls of wisdom as I am at a bit of a  
dead end.

Squid 2.6 is running on Centos 5.1.
With Squid debugging enabled I see the following in my cache log:

/var/log/squid/cache.log:
2008/02/05 16:51:39| The request GET http://www.google.co.nz/ is  
DENIED, because it matched 'authenticated_users'
2008/02/05 16:51:39| The reply for GET http://www.google.co.nz/ is  
ALLOWED, because it matched 'authenticated_users'


Authentication of LDAP users would not appear to be a problem as when  
I run the LDAP helper on the command line all seems to work:
Output from LDAP helper program:
/usr/lib/squid/squid_ldap_auth -b "users,o=example" -u cn  
ldap.server.com
exampleuser examplepassword
OK


Below is my squid config file which is based on a Red Hat KB entry (http://kbase.redhat.com/faq/FAQ_103_11902.shtm 
)

/etc/squid/squid.conf
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid

auth_param basic program /usr/lib/squid/squid_ldap_auth -b  
"users,o=example" -u cn ldap.server.com
auth_param basic children 5
auth_param basic realm Example Web Proxy
auth_param basic credentialsttl 1 hours

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 192.168.1.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl authenticated_users proxy_auth REQUIRED localnet

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost

http_access allow authenticated_users
http_access allow localhost
http_access deny all

http_reply_access allow all

icp_access allow all

coredump_dir /var/spool/squid

debug_options ALL,1
# For debugging ACLs
# debug_options ALL,1 33,2 28,9

----------------------------------------------

Below is the revelant section of the system's process list showing  
that the helpers and squid appear to be loaded okay.
ps -ax
squid -D
  2726 ?        S      0:00 (squid) -D
  2728 ?        Ss     0:00 (squid_ldap_auth) -b ou=users,o=example -u  
cn ldap.server.com
  2729 ?        Ss     0:00 (squid_ldap_auth) -b ou=users,o=example -u  
cn ldap.server.com
  2730 ?        Ss     0:00 (squid_ldap_auth) -b users,o=example -u cn  
ldap.server.com
  2731 ?        Ss     0:00 (squid_ldap_auth) -b users,o=example -u cn  
ldap.server.com
  2732 ?        Ss     0:00 (squid_ldap_auth) -b users,o=example -u cn  
ldap.server.com



Again any help would be appreciated.

Regards,


David Harrison

More information about the wellylug mailing list