Am Wed, 24 Nov 2010 08:59:05 -0300 schrieb Bruno Lamps lampss@gmail.com:
Hi everybody,
I spent some days reading the ebook "Ldap for rocket scientists" ( zytrax.com/books/ldap/) and I've succesfully (I think it's a success =3 ) created a VM with debian lenny and openldap running.
After that, I created another VM, running IPfire (www.ipfire.org) distro, this will be the firewall of the SMB I'm working for. Now I'm trying to authenticate the squid proxy, installed in IPFire distro, integrating it with my openldap server. A screenshot of my IPFire's webGUI and phpldapadmin webGUI can be seen at this topic: http://forum.ipfire.org/index.php?topic=3404.0
But the authentication isn't running, the browser using squid proxy keeps asking me for username and password. Suspecting that the webGUI could be making some mistake in squid config file, I started editing it's parameters manually. Right now, the ldap authentication line in my squid.conf looks like this:
*auth_param basic program /usr/lib/squid/squid_ldap_auth -D "cn=admin,dc=pisolar" -w "mypassword" -b "ou=usuarios,dc=pisolar" -h 192.168.1.7 -v 3*
*cn=admin,dc=pisolar *= my root user.
*ou=usuarios,dc=pisolar *= the OU where my users are stored.
I opened slapd in debug mode (slapd -d 255) in my openldap debian-powered VM, and this is the text shown when I try to authenticate in my browser:
[...]
=> bdb_dn2id("ou=usuarios,dc=pisolar") <= bdb_dn2id: got id=0xb => bdb_dn2id("uid=lamps,ou=usuarios,dc=pisolar") <= bdb_dn2id: got id=0x10 entry_decode: "uid=lamps,ou=usuarios,dc=pisolar" <= entry_decode(uid=lamps,ou=usuarios,dc=pisolar) => access_allowed: auth access to "uid=lamps,ou=usuarios,dc=pisolar" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "uid=lamps,ou=usuarios,dc=pisolar", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=admin,dc=pisolar <= check a_dn_pat: anonymous <= acl_mask: [2] applying none(=0) (stop) <= acl_mask: [2] mask: none(=0) => slap_access_allowed: auth access denied by none(=0)
[...]
check your access rules, as access to attribute usrPassword is denied, read the few lines above.
I tried to set a lot of different config syntaxes at squid.conf, but it always come to the same kind of problem at slapd debug: After reading the user CN and his password, slapd fails to read something else (ldap_read: want=8 error=Resource temporarily unavailable) and then it doesn't authenticates.
What I'm doing wrong? Is there any problem with my openldap server? With squid? =(
I think, both are misconfigured. The module squid_ldap_auth requires a parameter -u, in order to define the attribute type, which can be either uid or cn.
-Dieter