[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap client on solaris to an ad




Rick Francis wrote:
> 
> any idea what ldap configurations need to happen to get squid to refer back
> to the active directory ldap server for authentication?

I don't know of anything general.  What I do as authenticator program is
something like:

#!/usr/bin/perl

use strict;

use Net::LDAP;
use Sys::Syslog;

my $server = 'localhost';
my $base = 'dc=stl,dc=es';

Sys::Syslog::setlogsock 'unix';
openlog 'squid_auth', "cons,pid", 'daemon';

sub report_error {
        my $msg = shift;
        # print STDERR $msg, "\n";
        syslog 'notice', $msg;
}

my $ld = Net::LDAP->new($server, version => 3) or die "$@";
my $result = $ld->bind;

if ( $result->code ) {
        report_error("Bind error: " . $result->error);
        exit(1);
}

my $ld2 = Net::LDAP->new($server, version => 3) or die "$@";

$| = 1;

while (<>) {
        chop;
        my($user,$pass) = split(/\s+/);

        my $mesg = $ld->search(base => $base,
                        filter => "(uid=$user)",
                        attrs => ['stlprofile']);
        if ($mesg->code) {
                report_error("Error in search: " . $mesg->error);
                exit (1);
        }
        my $count = $mesg->count;
        if ( $count == 0 ) {
                report_error("No such user $user");
                print "ERR\n";
                next;
        }
        if ( $count > 1 ) {
                report_error("Ambiguous user $user");
                print "ERR\n";
                next;
        }
        my $ent = $mesg->shift_entry;
        my $dn = $ent->dn;
        my $profiles = $ent->get('stlprofile');
        if ( ! grep(/^web$/, @$profiles) ) {
                report_error("Unauthorized user $user");
                print "ERR\n";
                next;
        }
        $mesg = $ld2->bind($dn, password=>$pass);
        if ($mesg->code) {
                report_error("Invalid credentials for $user");
                print "ERR\n";
                next;
        }
        print "OK\n";
}

$ld2->unbind;
$ld->unbind;
closelog;

The idea here is that users that authenticate and have the value 'web'
in the attribute 'stlprofile' are let through.  It should be more
robust, like reconnecting if needed and such, but I only use it to
permit emergency access to users when their IP address change and
such if I am not aroung.

Julio