Re: Problem when trying to authenticate squid with openldap server

To: Dieter Kluenter <dieter@dkluenter.de>

Subject: Re: Problem when trying to authenticate squid with openldap server

From: Bruno Lamps <lampss@gmail.com>

Date: Fri, 26 Nov 2010 14:12:33 -0300

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=H/bLu5BlUN7cxgn2oI4Atr4aO9CKYxSFIqas0ThNuNo=; b=HV4thhc4IxXgmVfb4L0kLiAqgTOIePTLESAHjqtgrQRShRH8lZAhENPpygDfemU8v9 o/6SGr8qnjdQyaqG1sS56FADs2vUkOHqaPBVycRr92W7pjv0sxvZRz9gre/tHYNKLIIn d4CBr76Lfpw2c6CaPUl318+xe8e2OdOQs64jk=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=w/AcbmFINFyBGg03IO1BScR8IgAdTeO7dKKO8SI7V4K0oK/ge/0j4jnd2OZfvH0crG 3VmSvj+aC6Y5VUxFaE5uowZbUnUo9YT5JyKMzkgNy0f0gJ493ZeKoiekoT2Jf3odiE+L dqLSlN1GwpbacwMFY/sZpucdSPe8xBltw7NTg=

In-reply-to: <878w0g19a6.fsf@rubin.avci.de>

References: <AANLkTimC5H-1ORBVwPoc5cRtOfg3W_n_L+bwjY+ebr_L@mail.gmail.com> <201011261127.33588.bgmilne@staff.telkomsa.net> <AANLkTi=-SeG1-M2Zf-TYjeOg__UKW8qOjt9275WbWkPC@mail.gmail.com> <878w0g19a6.fsf@rubin.avci.de>


access to attr=userpassword
    by self =xw
    by anonymous auth

  access to *
    by self write
    by users read

Now I can go back to squid and DansGuardian tunning. =D

Thanks Dieter and Buchan. ;D

On Fri, Nov 26, 2010 at 10:53 AM, Dieter Kluenter <dieter@dkluenter.de> wrote:

Bruno Lamps <lampss@gmail.com> writes:

> Hi,
>
> Thanks Dieter Kluenter and Buchan Milne for answering to this, and everyone else that is reading this topic. =D
>
> � � It seems your ACLs are not sufficient for *any* simple binds to this DN.
>
> � � Please test the following on your LDAP server:
>
> � � $ ldapwhoami -x -D uid=lamps,ou=usuarios,dc=pisolar -W
>
> � � Until this command works, please don't bother with anything related to squid.
>
> Right, this command isn't working for any user, except cn=admin,dc=pisolar. I'm struggling with /etc/ldap/slapd.conf, to
> solve this. I probably tried to make the ACLs a bit too tight, and now they're choking me. =p
>
> � � Did you ever test simple binds to your LDAP server as these users except from
>
> � � squid? It doesn't seem like it ...
>
> I use this ldap base to authenticate my GLPI () system. But I think GLPI just grab all my base, using the ldap admin
> password, and transports it to it's mysql database. =/
>
> I'm currently testing different ACLs in /etc/ldap/slapd.conf. Right now, these are the rules:
>
> access to *
> by dn="cn=admin,dc=pisolar" write
> #by anonymous none
> #by self none
> by * read
>
> access to attrs=userPassword,shadowLastChange
> by dn="cn=admin,dc=pisolar" write
> by anonymous auth
> by self write
> by * none
>
> access to dn.base="" by * read
>
> What kind of mistake am I doing there? =S

man slapd.access(5)
http://www.openldap.org/doc/admin24/access-control.html
http://www.openldap.org/faq/data/cache/189.html

-Dieter

--
Dieter Kl�| Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53�37'09,95"N
10�08'02,42"E