Re: [squid-users] Problems with ldap user authentication on a Win2k3 server using squid_ldap_auth module from Leonardo Rodrigues on 2006-04-22 (squid-users)

From: Leonardo Rodrigues <leonardovcr2@dont-contact.us>
Date: Sat, 22 Apr 2006 15:46:33 -0300

Big thanks for the quick reply Henrik :)

Today I tried again with some different options on the windows 2003
side, and found out that I *have* to put the hostname of the w2k3
server on the list of computers that the account is allowed to log in.
That solved the problem described on the earlier email.

BUT, that opens a security breach on my system :(
If the user is granted access to my w2k3 server, he has the rights to
log in, but gpo policies would still apply and save my day. I think I
can live with that, by enforcing even more restrictions on the users
account policies.

So, on the user's account list of allowed machines to log in, I'll
have to enter the hostname of the w2k3 server, AND the hostname of the
squid server. And of course, I'll have to put the hostnames of the
machine the user will be physically allowed to use :)

In brief, without the squid server hostname, the user couldn't access
the squid cache. And with it, but without the 2k3 hostname, the user
could access the cache, but if he typed the wrong password, the
account would be blocked. Now with both hostnames, the user logs fine,
and the account doesn't get blocked if he types a wrong password. The
user just needs to type it again right.

That's quite a strange behaviour isn't it?

On 4/21/06, Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
> fre 2006-04-21 klockan 21:07 -0300 skrev Leonardo Rodrigues:
> > Hello list!
> >
> > I'e been having some problems trying to authenticate users via the
> > squid_ldap_module. They authenticate fine, but if a user sends a wrong
> > password, and then try again with the right password, the
> > authentication process fails. It is as if the ldap server "blocks" the
> > account if a user tries to log with a wrong password.
>
> > What's wrong here? Is it a configuration problem with the 2k3 server,
> > or an extra argument that I have to pass on the squid.conf file when I
> > call the ldap module?
>
> There is nothing inherent to squid_ldap_auth or Squid which causes the
> symptoms above, so my bet is on Windows 2k3 policy somewhere..
>
> but it might be a good idea to try the -O option to squid_ldap_auth.
> (2.5.STABLE7 or later).
>
> Regards
> Henrik
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iD8DBQBESYWOB5pTNio2V7IRAuxmAKCRkK59DN1u1PFvyczpZPu/jA0R3QCgrhrT
> 77Xab6AGKjviVWnEVrmAsCA=
> =stcG
> -----END PGP SIGNATURE-----
>
>
>
Received on Sat Apr 22 2006 - 12:53:15 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT