Problem when trying to authenticate squid with openldap server

[Bruno Lamps <lampss@gmail.com>]

Hi everybody,

I spent some days reading the ebook "Ldap for rocket scientists" (zytrax.com/books/ldap/) and I've succesfully (I think it's a success =3 ) created a VM with debian lenny and openldap running.�

After that, I created another VM, running IPfire (www.ipfire.org) distro, this will be the firewall of the SMB I'm working for. Now I'm trying to authenticate the squid proxy, installed in IPFire distro, integrating it with my openldap server. A screenshot of my IPFire's webGUI and phpldapadmin webGUI can be seen at this topic:�http://forum.ipfire.org/index.php?topic=3404.0

But the authentication isn't running, the browser using squid proxy keeps asking me for username and password. Suspecting that the webGUI could be making some mistake in squid config file, I started editing it's parameters manually. Right now, the ldap authentication line in my squid.conf looks like this:�

auth_param basic program /usr/lib/squid/squid_ldap_auth -D "cn=admin,dc=pisolar" -w "mypassword" -b "ou=usuarios,dc=pisolar" -h 192.168.1.7 -v 3

cn=admin,dc=pisolar = my root user.

ou=usuarios,dc=pisolar = the OU where my users are stored.�

I opened slapd in debug mode (slapd -d 255) in my openldap debian-powered VM, and this is the text shown when I try to authenticate in my browser:�

daemon: activity on 1 descriptor

daemon: activity on:

slap_listener_activate(8):�

daemon: epoll: listen=7 active_threads=0 tvp=zero

daemon: epoll: listen=8 busy

>>> slap_listener(ldap:///)

daemon: listen=8, new connection on 13

daemon: added 13r (active) listener=(nil)

daemon: activity on 2 descriptors

daemon: activity on: 13r

daemon: epoll: listen=7 active_threads=0 tvp=zero

daemon: epoll: listen=8 active_threads=0 tvp=zero

daemon: activity on 1 descriptor

daemon: activity on: 13r

daemon: read active on 13

daemon: epoll: listen=7 active_threads=0 tvp=zero

daemon: epoll: listen=8 active_threads=0 tvp=zero

connection_get(13)

connection_get(13): got connid=0

connection_read(13): checking for input on id=0

ber_get_next

ldap_read: want=8, got=8

��0000: �30 34 02 01 01 60 2f 02 � � � � � � � � � � � � � �04...`/. � � � � �

ldap_read: want=46, got=46

��0000: �01 03 04 20 75 69 64 3d �6c 61 6d 70 73 2c 6f 75 � ... uid=lamps,ou �

��0010: �3d 75 73 75 61 72 69 6f �73 2c 64 63 3d 70 69 73 � =usuarios,dc=pis �

��0020: �6f 6c 61 72 80 08 6c 34 �77 64 30 67 67 30 � � � � olar..userpassword � �

ber_get_next: tag 0x30 len 52 contents:

ber_dump: buf=0xa0598a0 ptr=0xa0598a0 end=0xa0598d4 len=52

��0000: �02 01 01 60 2f 02 01 03 �04 20 75 69 64 3d 6c 61 � ...`/.... uid=la �

��0010: �6d 70 73 2c 6f 75 3d 75 �73 75 61 72 69 6f 73 2c � mps,ou=usuarios, �

��0020: �64 63 3d 70 69 73 6f 6c �61 72 80 08 6c 34 77 64 � dc=pisolar..userpass �

��0030: �30 67 67 30 � � � � � � � � � � � � � � � � � � � �word � � � � � � �

ber_get_next

ldap_read: want=8 error=Resource temporarily unavailable

daemon: activity on 1 descriptor

daemon: activity on:

daemon: epoll: listen=7 active_threads=0 tvp=zero

daemon: epoll: listen=8 active_threads=0 tvp=zero

conn=0 op=0 do_bind

ber_scanf fmt ({imt) ber:

ber_dump: buf=0xa0598a0 ptr=0xa0598a3 end=0xa0598d4 len=49

��0000: �60 2f 02 01 03 04 20 75 �69 64 3d 6c 61 6d 70 73 � `/.... uid=lamps �

��0010: �2c 6f 75 3d 75 73 75 61 �72 69 6f 73 2c 64 63 3d � ,ou=usuarios,dc= �

��0020: �70 69 73 6f 6c 61 72 80 �08 6c 34 77 64 30 67 67 � pisolar..userpasswor �

��0030: �30 � � � � � � � � � � � � � � � � � � � � � � � � d � � � � � � � ��

ber_scanf fmt (m}) ber:

ber_dump: buf=0xa0598a0 ptr=0xa0598ca end=0xa0598d4 len=10

��0000: �00 08 6c 34 77 64 30 67 �67 30 � � � � � � � � � � ..userpassword � � � �

>>> dnPrettyNormal: <uid=lamps,ou=usuarios,dc=pisolar>

=> ldap_bv2dn(uid=lamps,ou=usuarios,dc=pisolar,0)

<= ldap_bv2dn(uid=lamps,ou=usuarios,dc=pisolar)=0�

=> ldap_dn2bv(272)

<= ldap_dn2bv(uid=lamps,ou=usuarios,dc=pisolar)=0�

=> ldap_dn2bv(272)

<= ldap_dn2bv(uid=lamps,ou=usuarios,dc=pisolar)=0�

<<< dnPrettyNormal: <uid=lamps,ou=usuarios,dc=pisolar>, <uid=lamps,ou=usuarios,dc=pisolar>

do_bind: version=3 dn="uid=lamps,ou=usuarios,dc=pisolar" method=128

==> bdb_bind: dn: uid=lamps,ou=usuarios,dc=pisolar

bdb_dn2entry("uid=lamps,ou=usuarios,dc=pisolar")

=> bdb_dn2id("dc=pisolar")

<= bdb_dn2id: got id=0x1

=> bdb_dn2id("ou=usuarios,dc=pisolar")

<= bdb_dn2id: got id=0xb

=> bdb_dn2id("uid=lamps,ou=usuarios,dc=pisolar")

<= bdb_dn2id: got id=0x10

entry_decode: "uid=lamps,ou=usuarios,dc=pisolar"

<= entry_decode(uid=lamps,ou=usuarios,dc=pisolar)

=> access_allowed: auth access to "uid=lamps,ou=usuarios,dc=pisolar" "userPassword" requested

=> acl_get: [1] attr userPassword

=> slap_access_allowed: result not in cache (userPassword)

=> acl_mask: access to entry "uid=lamps,ou=usuarios,dc=pisolar", attr "userPassword" requested

=> acl_mask: to value by "", (=0)�

<= check a_dn_pat: cn=admin,dc=pisolar

<= check a_dn_pat: anonymous

<= acl_mask: [2] applying none(=0) (stop)

<= acl_mask: [2] mask: none(=0)

=> slap_access_allowed: auth access denied by none(=0)

=> access_allowed: no more rules

send_ldap_result: conn=0 op=0 p=3

send_ldap_result: err=49 matched="" text=""

send_ldap_response: msgid=1 tag=97 err=49

ber_flush2: 14 bytes to sd 13

��0000: �30 0c 02 01 01 61 07 0a �01 31 04 00 04 00 � � � � 0....a...1.... � �

ldap_write: want=14, written=14

��0000: �30 0c 02 01 01 61 07 0a �01 31 04 00 04 00 � � � � 0....a...1.... � �

daemon: activity on 1 descriptor

daemon: activity on: 13r

daemon: read active on 13

daemon: epoll: listen=7 active_threads=0 tvp=zero

daemon: epoll: listen=8 active_threads=0 tvp=zero

connection_get(13)

connection_get(13): got connid=0

connection_read(13): checking for input on id=0

ber_get_next

ldap_read: want=8, got=7

��0000: �30 05 02 01 02 42 00 � � � � � � � � � � � � � � � 0....B. � � � � ��

ber_get_next: tag 0x30 len 5 contents:

ber_dump: buf=0xa0039c0 ptr=0xa0039c0 end=0xa0039c5 len=5

��0000: �02 01 02 42 00 � � � � � � � � � � � � � � � � � � ...B. � � � � � ��

ber_get_next

ldap_read: want=8, got=0

ber_get_next on fd 13 failed errno=0 (Success)

connection_read(13): input error=-2 id=0, closing.

connection_closing: readying conn=0 sd=13 for close

daemon: activity on 1 descriptor

daemon: activity on:

daemon: epoll: listen=7 active_threads=0 tvp=zero

daemon: epoll: listen=8 active_threads=0 tvp=zero

connection_close: deferring conn=0 sd=13

conn=0 op=1 do_unbind

connection_resched: attempting closing conn=0 sd=13

connection_close: conn=0 sd=13

daemon: removing 13

daemon: activity on 1 descriptor

daemon: activity on:

slap_listener_activate(8):�

daemon: epoll: listen=7 active_threads=0 tvp=zero

daemon: epoll: listen=8 busy

>>> slap_listener(ldap:///)

daemon: activity on 1 descriptor

daemon: activity on:

daemon: epoll: listen=7 active_threads=0 tvp=zero

daemon: epoll: listen=8 active_threads=0 tvp=zero

=================================

I tried to set a lot of different config syntaxes at squid.conf, but it always come to the same kind of problem at slapd debug: After reading the user CN and his password, slapd fails to read something else (ldap_read: want=8 error=Resource temporarily unavailable) and then it doesn't authenticates.�

What I'm doing wrong? Is there any problem with my openldap server? With squid? =(

I'd like to thank you all in advance for any support, and say sorry for my broken english. =D