HTTP Proxy authentication with LDAP against Zimbra 6.02 on EFW 2.3

[Guest]

[mosocms]

Hi everbody!   

I would like to use Endian 2.3 with my Zimbra 6.02 user base (LDAP).

I find a way of get authentication/policies to work if I manually edit, for example, /etc/squid/groups/rule0.  But the "trick" only work for user based authentication...   

Code:

HTTP proxy: Authentication
==========================

Authentication Method: LDAP (v2, v3, Novell eDirectory, AD)

Authentication settings:
- Authentication Realm: Endian Proxy Server
- Number of Authentication Children: 20
- Authentication cache TTL (in minutes): 60
- Number of different ips per user: 0
- User / IP cache TTL (in minutes): 0

LDAP specific settings:
- LDAP server: zimbra.example.com
- Port of LDAP server: 389
- Bind DN settings: dc=example,dc=com
- LDAP type: LDAP v3 Server
- Bind DN username: uid=zmposix,cn=appaccts,cn=zimbra
- Bind DN password: ********  :)
- user objectClass: posixAccount
- group objectClass: posixGroup

In Access Policy I changed "filter for virus" policy "Authgroup/-user" from "not required" to "uid=john.doe,ou=people,dc=example,dc=com".

But when I try to access, after enter user/password in browser window I always get denied.

I discovered that if I edit /etc/squid/group/rule0 and leave only "john.doe" authentication begins to work as expected.

I tested this with other usernames and only work if I remove the LDAP stuff "uid=x,ou=x,dc=z..." and leave only username (uid).

With groups this approach doesn´t work.  Either full group name or only short name doesn´t work.

Do you think I discovered a bug?

Any ideas of how to make this work?

It´s essential for my deploy scenario that I get HTTP proxy authentication & policies (user/group) working with Zimbra LDAP.

Thanking in advance,
  MosoCMS

[mosocms]

Hi!

  I found a solution to my problem.

  First, edit /etc/squid/squid.conf.tmpl (line 137) to:

Code:

external_acl_type ldap_group ttl=300 %LOGIN ${LIB_EXEC_DIR}/squid_ldap_group $ldapOptions -f "(&(objectClass=${LDAP_GROUP_OBJECT_CLASS})(memberUid=%u)(cn=%g))" -v 3 -P ${LDAP_SERVER}:${LDAP_PORT}

  Then, edit /usr/local/bin/get-users.py (line 76) to:

Code:

                groups.append(result_data[0][0].split(',')[0].replace('uid=',''))

  and edit /usr/local/bin/get-groups.py (line 76) to:

Code:

                groups.append(result_data[0][0].split(',')[0].replace('cn=',''))

Best regards,
  MosoCMS

[kauihou]

I have been working on authenticating EFW to our OS X Open Directory LDAP Server and your post helped a great deal.  Though I found that I had to tweak the squid.conf.tmpl (line 137):

Code:

external_acl_type ldap_group ttl=300 %LOGIN ${LIB_EXEC_DIR}/squid_ldap_group $ldapOptions -f "(&(objectCla.ss=${LDAP_GROUP_OBJECT_CLA.SS})(memberUid=%u)(cn=%g))" -v 3 -P ${LDAP_SERVER}:${LDAP_PORT}

Instead of objectCl, I had to write it out as objectCla.ss (without the dot inbetween, I guess the forum self-edited your post.) 

Thanks for you help.

Note:  please remove the dot between the a and the s in both places when using the above code.

[mosocms]

Hi kauihou!   

  I'm glad that my post helped you.

  Thanks for warn about the automatic edition of the post by the forum software.  I had already noticed that in regular text but I hadn't see the edition inside "code".   


Best regards,
  MosoCMS