EFW Support

Support => EFW SMTP, HTTP, SIP, FTP Proxy Support => Topic started by: mosocms on Thursday 29 October 2009, 07:11:19 am



Title: HTTP Proxy authentication with LDAP against Zimbra 6.02 on EFW 2.3
Post by: mosocms on Thursday 29 October 2009, 07:11:19 am
Hi everbody!   :D

I would like to use Endian 2.3 with my Zimbra 6.02 user base (LDAP).

I find a way of get authentication/policies to work if I manually edit, for example, /etc/squid/groups/rule0.  But the "trick" only work for user based authentication...   :P

Code:
HTTP proxy: Authentication
==========================

Authentication Method: LDAP (v2, v3, Novell eDirectory, AD)

Authentication settings:
- Authentication Realm: Endian Proxy Server
- Number of Authentication Children: 20
- Authentication cache TTL (in minutes): 60
- Number of different ips per user: 0
- User / IP cache TTL (in minutes): 0

LDAP specific settings:
- LDAP server: zimbra.example.com
- Port of LDAP server: 389
- Bind DN settings: dc=example,dc=com
- LDAP type: LDAP v3 Server
- Bind DN username: uid=zmposix,cn=appaccts,cn=zimbra
- Bind DN password: ********  :)
- user objectClass: posixAccount
- group objectClass: posixGroup


In Access Policy I changed "filter for virus" policy "Authgroup/-user" from "not required" to "uid=john.doe,ou=people,dc=example,dc=com".

But when I try to access, after enter user/password in browser window I always get denied.

I discovered that if I edit /etc/squid/group/rule0 and leave only "john.doe" authentication begins to work as expected.

I tested this with other usernames and only work if I remove the LDAP stuff "uid=x,ou=x,dc=z..." and leave only username (uid).

With groups this approach doesnīt work.  Either full group name or only short name doesnīt work.

Do you think I discovered a bug?

Any ideas of how to make this work?

Itīs essential for my deploy scenario that I get HTTP proxy authentication & policies (user/group) working with Zimbra LDAP.

Thanking in advance,
  MosoCMS


Title: Re: HTTP Proxy authentication with LDAP against Zimbra 6.02 on EFW 2.3 - patch
Post by: mosocms on Friday 30 October 2009, 11:49:06 pm
Hi!

  I found a solution to my problem.

  First, edit /etc/squid/squid.conf.tmpl (line 137) to:

Code:
external_acl_type ldap_group ttl=300 %LOGIN ${LIB_EXEC_DIR}/squid_ldap_group $ldapOptions -f "(&(objectClass=${LDAP_GROUP_OBJECT_CLASS})(memberUid=%u)(cn=%g))" -v 3 -P ${LDAP_SERVER}:${LDAP_PORT}

  Then, edit /usr/local/bin/get-users.py (line 76) to:

Code:
                groups.append(result_data[0][0].split(',')[0].replace('uid=',''))

  and edit /usr/local/bin/get-groups.py (line 76) to:

Code:
                groups.append(result_data[0][0].split(',')[0].replace('cn=',''))


Best regards,
  MosoCMS


Title: Re: HTTP Proxy authentication with LDAP against Zimbra 6.02 on EFW 2.3
Post by: kauihou on Thursday 26 November 2009, 07:59:53 am
I have been working on authenticating EFW to our OS X Open Directory LDAP Server and your post helped a great deal.  Though I found that I had to tweak the squid.conf.tmpl (line 137):

Code:
external_acl_type ldap_group ttl=300 %LOGIN ${LIB_EXEC_DIR}/squid_ldap_group $ldapOptions -f "(&(objectCla.ss=${LDAP_GROUP_OBJECT_CLA.SS})(memberUid=%u)(cn=%g))" -v 3 -P ${LDAP_SERVER}:${LDAP_PORT}

Instead of objectCl, I had to write it out as objectCla.ss (without the dot inbetween, I guess the forum self-edited your post.) 

Thanks for you help. :)

Note:  please remove the dot between the a and the s in both places when using the above code.



Title: Re: HTTP Proxy authentication with LDAP against Zimbra 6.02 on EFW 2.3
Post by: mosocms on Thursday 26 November 2009, 09:14:48 pm
Hi kauihou!   :)

  I'm glad that my post helped you.

  Thanks for warn about the automatic edition of the post by the forum software.  I had already noticed that in regular text but I hadn't see the edition inside "code".   :P


Best regards,
  MosoCMS