Bug 37752 - Squid only uses ldap/server/name for auth
Squid only uses ldap/server/name for auth
Product: UCS
Classification: Unclassified
Component: Squid
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-1-errata
Assigned To: Philipp Hahn
Janek Walkenhorst
: 32294 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2015-02-10 15:10 CET by Tim Petersen
Modified: 2015-05-18 08:38 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Petersen univentionstaff 2015-02-10 15:10:23 CET
2015020621000525: ldap/server/addition should be used somehow - in the current behaviour, proxy auth is not possible if the master is not reachable.
Comment 1 Philipp Hahn univentionstaff 2015-03-13 17:57:07 CET
r58968 | Bug #37752 Squid: Copyright 2015
r58967 | Bug #37752 Squid: Support ldap/server/addition
 squid3-3.1.20/helpers/basic_auth/LDAP/squid_ldap_auth.c:open_ldap_connection() uses ldap_initialize() if the arguments contain "://", which allows a comma or space separated list of LDAP servers to be specified.

Package: univention-squid
Version: 8.0.2-2.224.201503131731
Branch: ucs_4.0-0
Scope: errata4.0-1

r58969 | Bug #37752 Squid: Support ldap/server/addition YAML

ucr set squid/basicauth=yes ldap/server/addition="$(ucr get ldap/master) localhost"
univention-install univention-squid strace
strace -e connect \
/usr/lib/squid3/squid_ldap_auth \
-b "$(ucr get ldap/base)" \
-D "$(ucr get ldap/hostdn)" \
-W /etc/squid3.secret \
-s sub \
-f '(&(objectClass=organizationalPerson)(uid=%s))' \
-d \
"ldap://$(ucr get ldap/server/name):9" "ldap://$(ucr get ldap/server/name):$(ucr get ldap/server/port)" <<<'Administrator univention'

http_proxy=http://Administrator:univention@localhost:3128 \
wget -d -O/dev/null http://www.univention.de/
Comment 2 Janek Walkenhorst univentionstaff 2015-03-24 12:26:11 CET
Tests: OK
Code review: OK
Advisory: OK
Comment 3 Janek Walkenhorst univentionstaff 2015-03-25 16:42:24 CET
Comment 4 Philipp Hahn univentionstaff 2015-05-18 08:38:15 CEST
*** Bug 32294 has been marked as a duplicate of this bug. ***