LDAP and JNDI

Today, instead of just dealing with people and papers, I actually worked on something a bit more interesting. I needed to allow users to change the passwords of their Active Directory accounts using a web page. Being a Java zealot, the solution I chose was JNDI which made things pretty much straightforward.

Of course it wouldn’t have been fun without problems and I encountered two, albeit minor, hitches with LDAP and Active Directory. LDAP is supposedly easy but it never ceases to give me just enough trouble to roundly irritate me. Active Directory only allows modification of passwords via a secure connection, either TLS or SSL. The latter is actually a good thing but I had to do a few extra steps. Besides, like I said, they were minor hitches.

So how to do it?

Continue reading “LDAP and JNDI”

LDAP Authentication For Squid

One of the things you want to do as you integrate your systems would be to have them authenticate from a common user base. That user base is usually an LDAP source, in my case Microsoft Active Directory (don’t say anything!!!). One of the systems you would want to use the common user base is your web proxy, Squid in my case. Here is how to integrate the two. It’s quite simple actually though, as usual, LDAP gave me a bit of a hard time.

First you need to configure Squid to use LDAP. Just add the following in your squid.conf:

auth_param basic program /usr/lib/squid/squid_ldap_auth -P -R -b “dc=your,dc=domain” -D “cn=user,cn=Users,dc=your,dc=domain” -w “password” -f “(&(objectClass=person)(sAMAccountName=%s))” yourldapserver

If you’re encountering problems add the -d parameter at the end and do a tail -f on /var/log/squid/cache.log Now that Squid can authenticate using LDAP, just add your ACLs in squid.conf:

acl youracl1 proxy_auth “/path/to/userlist”
http_access allow youracl1

That’s it!