Environment
SUSE Linux Enterprise Server 10
Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Enterprise Server 2 (OES 2) Linux
Situation
Squid needs to authenticate to eDirectory via Secure LDAP
Squid is already set up to authenticate to eDirectory LDAP using port 389. For information on setting up a basic Squid Proxy Server see "Additional Information" section on this document.
Squid is already set up to authenticate to eDirectory LDAP using port 389. For information on setting up a basic Squid Proxy Server see "Additional Information" section on this document.
Resolution
The following steps are necessary to create a secure connection from Squid to eDirectory LDAP:
I. - Export the trusted root certificate from eDirectory:
A. ConsoleOne
1. Select the SSL Certificate DNS that corresponds to the LDAP server
2. Click on "Certificates" tab
3. Click on "Trusted Root Certificate" sub tab
4. Click on "Export" button
5. No to private key
6. select DER and click next all the way to Finish.
B. iManager
Note: The steps below require the "Novell Certificate Server Plug-ins for iManager" plug-in.
1. Log in to the eDirectory tree
2. Go to the "Directory Administration" tab on the left panel.
3. Click on the "Modify Object Link".
4. Click the "Object Selector" and browse through the tree to find and click the "SSLCertificateDNS" that corresponds to LDAP server.
5. Go to the "Certificates" tab. And select 'Trusted Root Certificate" underneath that.
6. Select the "SSLCertificateDNS" certificate check box. If there are more than one certificate present, select the appropriate one.
7. Click on the link "Export".
8. In the "Certificates" drop down box, select "SSL Certificate DNS". Uncheck the "Export Private Key" option.
9. Select the "Export Format" as DER from the drop down menu. And click "Next".
10. Click on the "Save the exported certificate" link and save it in your machine locally.
II. - Place the exported DER certificate on the Squid box in /etc/openldap/cacerts/ for example (may need to create the "cacerts" folder)
III. - Convert it to .pem via the following command on the Linux box:
"openssl x509 -in RootCert.der -inform DER -out RootCert.pem -outform PEM"
IV. - On the Linux machine modify "ldap.conf" file in /etc/openldap to point to the .pem file. Be sure to point to it before the TLS_REQCERT allow line as in the following example:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT=/etc/openldap/cacerts/RootCert.pem
TLS_REQCERT allow
V. - Add "-H" and "https://" to "auth_param basic program" line in Squid.conf file
For example:
...
auth_param basic program /usr/sbin/squid_ldap_auth -b "o=corp" -u cn -f "cn=%s" -D "cn=admin,o=corp" -w mypassword -H ldaps://<ipaddress>
...
VI. - Restart squid.
"rcsquid restart"
1. Select the SSL Certificate DNS that corresponds to the LDAP server
2. Click on "Certificates" tab
3. Click on "Trusted Root Certificate" sub tab
4. Click on "Export" button
5. No to private key
6. select DER and click next all the way to Finish.
B. iManager
Note: The steps below require the "Novell Certificate Server Plug-ins for iManager" plug-in.
1. Log in to the eDirectory tree
2. Go to the "Directory Administration" tab on the left panel.
3. Click on the "Modify Object Link".
4. Click the "Object Selector" and browse through the tree to find and click the "SSLCertificateDNS" that corresponds to LDAP server.
5. Go to the "Certificates" tab. And select 'Trusted Root Certificate" underneath that.
6. Select the "SSLCertificateDNS" certificate check box. If there are more than one certificate present, select the appropriate one.
7. Click on the link "Export".
8. In the "Certificates" drop down box, select "SSL Certificate DNS". Uncheck the "Export Private Key" option.
9. Select the "Export Format" as DER from the drop down menu. And click "Next".
10. Click on the "Save the exported certificate" link and save it in your machine locally.
II. - Place the exported DER certificate on the Squid box in /etc/openldap/cacerts/ for example (may need to create the "cacerts" folder)
III. - Convert it to .pem via the following command on the Linux box:
"openssl x509 -in RootCert.der -inform DER -out RootCert.pem -outform PEM"
IV. - On the Linux machine modify "ldap.conf" file in /etc/openldap to point to the .pem file. Be sure to point to it before the TLS_REQCERT allow line as in the following example:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT=/etc/openldap/cacerts/RootCert.pem
TLS_REQCERT allow
V. - Add "-H" and "https://" to "auth_param basic program" line in Squid.conf file
For example:
...
auth_param basic program /usr/sbin/squid_ldap_auth -b "o=corp" -u cn -f "cn=%s" -D "cn=admin,o=corp" -w mypassword -H ldaps://<ipaddress>
...
VI. - Restart squid.
"rcsquid restart"
Additional Information
The article "Configuration and Authentication for Proxy Squid" explains how to set up a basic Squid Proxy