Configure Squid to Connect to eDirectory via Secure LDAP

  • 7005346
  • 16-Feb-2010
  • 27-Apr-2012

Environment

SUSE Linux Enterprise Server 10
Novell Open Enterprise Server 2 (OES 2) Linux

Situation

Squid needs to authenticate to eDirectory via Secure LDAP
Squid is already set up to authenticate to eDirectory LDAP using port 389.  For information on setting up a basic Squid Proxy Server see "Additional Information" section on this document.

Resolution

The following steps are necessary to create a secure connection from Squid to eDirectory LDAP:
 
I. - Export the trusted root certificate from eDirectory:
 
A. ConsoleOne
1.  Select the SSL Certificate DNS that corresponds to the LDAP server
2. Click on "Certificates" tab
3. Click on "Trusted Root Certificate" sub tab
4. Click on "Export" button
5. No to private key
6. select DER and click next all the way to Finish.

B. iManager
Note: The steps below require the "Novell Certificate Server Plug-ins for iManager" plug-in.

1. Log in to the eDirectory tree
2. Go to the "Directory Administration" tab on the left panel.
3. Click on the "Modify Object Link".
4. Click the "Object Selector" and browse through the tree to find and click the "SSLCertificateDNS" that corresponds to LDAP server.
5. Go to the "Certificates" tab. And select 'Trusted Root Certificate" underneath that.
6. Select the "SSLCertificateDNS" certificate check box. If there are more than one certificate present, select the appropriate one.
7. Click on the link "Export".
8. In the "Certificates" drop down box, select "SSL Certificate DNS". Uncheck the "Export Private Key" option.
9. Select the "Export Format" as DER from the drop down menu. And click "Next".
10. Click on the "Save the exported certificate" link and save it in your machine locally.

II.  - Place the exported DER certificate on the Squid box in /etc/openldap/cacerts/ for example (may need to create the "cacerts" folder)

III.  - Convert it to .pem via the following command on the Linux box:

"openssl x509 -in RootCert.der -inform DER -out RootCert.pem -outform PEM"

IV. - On the Linux machine modify "ldap.conf" file in /etc/openldap to point to the .pem file.  Be sure to point to it before the TLS_REQCERT allow line as in the following example:
 
#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
 
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
 
TLS_CACERT=/etc/openldap/cacerts/RootCert.pem
TLS_REQCERT allow

V. - Add "-H" and "https://" to  "auth_param basic program" line in Squid.conf file

For example:

...
auth_param basic program /usr/sbin/squid_ldap_auth -b "o=corp" -u cn -f "cn=%s" -D "cn=admin,o=corp" -w mypassword -H ldaps://<ipaddress>
...

VI. - Restart squid.

"rcsquid restart"

Additional Information

The article "Configuration and Authentication for Proxy Squid" explains how to set up a basic Squid Proxy