Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 23 November 2024, 07:36:53 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14258 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  HTTP Proxy authentication with LDAP against Zimbra 6.02 on EFW 2.3
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: HTTP Proxy authentication with LDAP against Zimbra 6.02 on EFW 2.3  (Read 18926 times)
mosocms
Full Member
***
Offline Offline

Posts: 13


« on: Thursday 29 October 2009, 07:11:19 am »

Hi everbody!   Cheesy

I would like to use Endian 2.3 with my Zimbra 6.02 user base (LDAP).

I find a way of get authentication/policies to work if I manually edit, for example, /etc/squid/groups/rule0.  But the "trick" only work for user based authentication...   Tongue

Code:
HTTP proxy: Authentication
==========================

Authentication Method: LDAP (v2, v3, Novell eDirectory, AD)

Authentication settings:
- Authentication Realm: Endian Proxy Server
- Number of Authentication Children: 20
- Authentication cache TTL (in minutes): 60
- Number of different ips per user: 0
- User / IP cache TTL (in minutes): 0

LDAP specific settings:
- LDAP server: zimbra.example.com
- Port of LDAP server: 389
- Bind DN settings: dc=example,dc=com
- LDAP type: LDAP v3 Server
- Bind DN username: uid=zmposix,cn=appaccts,cn=zimbra
- Bind DN password: ********  :)
- user objectClass: posixAccount
- group objectClass: posixGroup


In Access Policy I changed "filter for virus" policy "Authgroup/-user" from "not required" to "uid=john.doe,ou=people,dc=example,dc=com".

But when I try to access, after enter user/password in browser window I always get denied.

I discovered that if I edit /etc/squid/group/rule0 and leave only "john.doe" authentication begins to work as expected.

I tested this with other usernames and only work if I remove the LDAP stuff "uid=x,ou=x,dc=z..." and leave only username (uid).

With groups this approach doesnīt work.  Either full group name or only short name doesnīt work.

Do you think I discovered a bug?

Any ideas of how to make this work?

Itīs essential for my deploy scenario that I get HTTP proxy authentication & policies (user/group) working with Zimbra LDAP.

Thanking in advance,
  MosoCMS
Logged
mosocms
Full Member
***
Offline Offline

Posts: 13


« Reply #1 on: Friday 30 October 2009, 11:49:06 pm »

Hi!

  I found a solution to my problem.

  First, edit /etc/squid/squid.conf.tmpl (line 137) to:

Code:
external_acl_type ldap_group ttl=300 %LOGIN ${LIB_EXEC_DIR}/squid_ldap_group $ldapOptions -f "(&(objectClass=${LDAP_GROUP_OBJECT_CLASS})(memberUid=%u)(cn=%g))" -v 3 -P ${LDAP_SERVER}:${LDAP_PORT}

  Then, edit /usr/local/bin/get-users.py (line 76) to:

Code:
                groups.append(result_data[0][0].split(',')[0].replace('uid=',''))

  and edit /usr/local/bin/get-groups.py (line 76) to:

Code:
                groups.append(result_data[0][0].split(',')[0].replace('cn=',''))


Best regards,
  MosoCMS
Logged
kauihou
Jr. Member
*
Offline Offline

Posts: 3


« Reply #2 on: Thursday 26 November 2009, 07:59:53 am »

I have been working on authenticating EFW to our OS X Open Directory LDAP Server and your post helped a great deal.  Though I found that I had to tweak the squid.conf.tmpl (line 137):

Code:
external_acl_type ldap_group ttl=300 %LOGIN ${LIB_EXEC_DIR}/squid_ldap_group $ldapOptions -f "(&(objectCla.ss=${LDAP_GROUP_OBJECT_CLA.SS})(memberUid=%u)(cn=%g))" -v 3 -P ${LDAP_SERVER}:${LDAP_PORT}

Instead of objectCl, I had to write it out as objectCla.ss (without the dot inbetween, I guess the forum self-edited your post.) 

Thanks for you help. Smiley

Note:  please remove the dot between the a and the s in both places when using the above code.

Logged
mosocms
Full Member
***
Offline Offline

Posts: 13


« Reply #3 on: Thursday 26 November 2009, 09:14:48 pm »

Hi kauihou!   Smiley

  I'm glad that my post helped you.

  Thanks for warn about the automatic edition of the post by the forum software.  I had already noticed that in regular text but I hadn't see the edition inside "code".   Tongue


Best regards,
  MosoCMS
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.078 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com