Welcome, Guest. Please login or register.
Did you miss your activation email?
Tuesday 07 July 2020, 12:58:03 pm

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14009 Posts in 4269 Topics by 6105 Members
Latest Member: gsarmiento
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  HTTP Proxy authentication with LDAP against Zimbra 6.02 on EFW 2.3
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: HTTP Proxy authentication with LDAP against Zimbra 6.02 on EFW 2.3  (Read 10199 times)
Full Member
Offline Offline

Posts: 13

« on: Thursday 29 October 2009, 07:11:19 am »

Hi everbody!   Cheesy

I would like to use Endian 2.3 with my Zimbra 6.02 user base (LDAP).

I find a way of get authentication/policies to work if I manually edit, for example, /etc/squid/groups/rule0.  But the "trick" only work for user based authentication...   Tongue

HTTP proxy: Authentication

Authentication Method: LDAP (v2, v3, Novell eDirectory, AD)

Authentication settings:
- Authentication Realm: Endian Proxy Server
- Number of Authentication Children: 20
- Authentication cache TTL (in minutes): 60
- Number of different ips per user: 0
- User / IP cache TTL (in minutes): 0

LDAP specific settings:
- LDAP server: zimbra.example.com
- Port of LDAP server: 389
- Bind DN settings: dc=example,dc=com
- LDAP type: LDAP v3 Server
- Bind DN username: uid=zmposix,cn=appaccts,cn=zimbra
- Bind DN password: ********  :)
- user objectClass: posixAccount
- group objectClass: posixGroup

In Access Policy I changed "filter for virus" policy "Authgroup/-user" from "not required" to "uid=john.doe,ou=people,dc=example,dc=com".

But when I try to access, after enter user/password in browser window I always get denied.

I discovered that if I edit /etc/squid/group/rule0 and leave only "john.doe" authentication begins to work as expected.

I tested this with other usernames and only work if I remove the LDAP stuff "uid=x,ou=x,dc=z..." and leave only username (uid).

With groups this approach doesn´t work.  Either full group name or only short name doesn´t work.

Do you think I discovered a bug?

Any ideas of how to make this work?

It´s essential for my deploy scenario that I get HTTP proxy authentication & policies (user/group) working with Zimbra LDAP.

Thanking in advance,
Full Member
Offline Offline

Posts: 13

« Reply #1 on: Friday 30 October 2009, 11:49:06 pm »


  I found a solution to my problem.

  First, edit /etc/squid/squid.conf.tmpl (line 137) to:

external_acl_type ldap_group ttl=300 %LOGIN ${LIB_EXEC_DIR}/squid_ldap_group $ldapOptions -f "(&(objectClass=${LDAP_GROUP_OBJECT_CLASS})(memberUid=%u)(cn=%g))" -v 3 -P ${LDAP_SERVER}:${LDAP_PORT}

  Then, edit /usr/local/bin/get-users.py (line 76) to:


  and edit /usr/local/bin/get-groups.py (line 76) to:


Best regards,
Jr. Member
Offline Offline

Posts: 3

« Reply #2 on: Thursday 26 November 2009, 07:59:53 am »

I have been working on authenticating EFW to our OS X Open Directory LDAP Server and your post helped a great deal.  Though I found that I had to tweak the squid.conf.tmpl (line 137):

external_acl_type ldap_group ttl=300 %LOGIN ${LIB_EXEC_DIR}/squid_ldap_group $ldapOptions -f "(&(objectCla.ss=${LDAP_GROUP_OBJECT_CLA.SS})(memberUid=%u)(cn=%g))" -v 3 -P ${LDAP_SERVER}:${LDAP_PORT}

Instead of objectCl, I had to write it out as objectCla.ss (without the dot inbetween, I guess the forum self-edited your post.) 

Thanks for you help. Smiley

Note:  please remove the dot between the a and the s in both places when using the above code.

Full Member
Offline Offline

Posts: 13

« Reply #3 on: Thursday 26 November 2009, 09:14:48 pm »

Hi kauihou!   Smiley

  I'm glad that my post helped you.

  Thanks for warn about the automatic edition of the post by the forum software.  I had already noticed that in regular text but I hadn't see the edition inside "code".   Tongue

Best regards,
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.055 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com