Discussion:
[squid-users] Squid Forward Proxy for LDAP
Bryan Peters
2016-12-15 14:29:19 UTC
Permalink
My Google-fu seems to be coming up short.

We have an application that ties into our users SSO/LDAP servers. We,
don't run an LDAP server of our own, we're just making outbound calls to
their LDAP servers.

I would like to proxy all outbound LDAP calls through Squid to get around
some limitations of AWS and our customers need to whitelist an IP. (AWS
load balancers don't have static IPs, some of our customers won't whitelist
FQDNs in their firewall).

Getting the traffic from our app server(s) to the Squid box hasn't been
much of a problem. I'm using Iptables/NAT to accomplish this. TCPdump on
the Squid machine sees traffic coming in on 3128.

I've added 389 as a 'safe port' in the squid config, created ACLs that
allow the network the traffic is coming in on. Yet squid never grabs the
traffic and does anything with it. The logs don't get updated at all.

Am I incorrect about Squid being able to proxy LDAP traffic?

Googling for this is sort of maddening as all forums, mailing lists, FAQs
and documentation continues to come up for doing LDAP auth on a Squid
machine, which isn't what I'm looking for at all.

Any help you can give would be appreciated.

Thanks
Yuri Voinov
2016-12-15 21:20:56 UTC
Permalink
Post by Bryan Peters
My Google-fu seems to be coming up short.
We have an application that ties into our users SSO/LDAP servers. We,
don't run an LDAP server of our own, we're just making outbound calls
to their LDAP servers.
I would like to proxy all outbound LDAP calls through Squid to get
around some limitations of AWS and our customers need to whitelist an
IP. (AWS load balancers don't have static IPs, some of our customers
won't whitelist FQDNs in their firewall).
Getting the traffic from our app server(s) to the Squid box hasn't
been much of a problem. I'm using Iptables/NAT to accomplish this.
TCPdump on the Squid machine sees traffic coming in on 3128.
I've added 389 as a 'safe port' in the squid config, created ACLs that
allow the network the traffic is coming in on. Yet squid never grabs
the traffic and does anything with it. The logs don't get updated at all.
Am I incorrect about Squid being able to proxy LDAP traffic?
Exactly. By definition, squid is only HTTP proxy. Initially.
Modern versions supports also HTTPS (with restrictions) and FTP (with
restrictions).
Post by Bryan Peters
Googling for this is sort of maddening as all forums, mailing lists,
FAQs and documentation continues to come up for doing LDAP auth on a
Squid machine, which isn't what I'm looking for at all.
Condolences. Thing you want is not possible by Squid.
Post by Bryan Peters
Any help you can give would be appreciated.
It can not help the fact that the product is not as a class. Squid - no
proxy all protocols in the world. Although it would not prevent the
availability of support for some of them - and it is certainly not FTP
(FTP - in 2016 the year indeed! :))
Post by Bryan Peters
Thanks
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
--
Cats - delicious. You just do not know how to cook them.
Brendan Kearney
2016-12-15 23:36:40 UTC
Permalink
Post by Yuri Voinov
Post by Bryan Peters
My Google-fu seems to be coming up short.
We have an application that ties into our users SSO/LDAP servers.
We, don't run an LDAP server of our own, we're just making outbound
calls to their LDAP servers.
I would like to proxy all outbound LDAP calls through Squid to get
around some limitations of AWS and our customers need to whitelist an
IP. (AWS load balancers don't have static IPs, some of our customers
won't whitelist FQDNs in their firewall).
Getting the traffic from our app server(s) to the Squid box hasn't
been much of a problem. I'm using Iptables/NAT to accomplish this.
TCPdump on the Squid machine sees traffic coming in on 3128.
I've added 389 as a 'safe port' in the squid config, created ACLs
that allow the network the traffic is coming in on. Yet squid never
grabs the traffic and does anything with it. The logs don't get
updated at all.
Am I incorrect about Squid being able to proxy LDAP traffic?
Exactly. By definition, squid is only HTTP proxy. Initially.
Modern versions supports also HTTPS (with restrictions) and FTP (with
restrictions).
Post by Bryan Peters
Googling for this is sort of maddening as all forums, mailing lists,
FAQs and documentation continues to come up for doing LDAP auth on a
Squid machine, which isn't what I'm looking for at all.
Condolences. Thing you want is not possible by Squid.
Post by Bryan Peters
Any help you can give would be appreciated.
It can not help the fact that the product is not as a class. Squid -
no proxy all protocols in the world. Although it would not prevent the
availability of support for some of them - and it is certainly not FTP
(FTP - in 2016 the year indeed! :))
Post by Bryan Peters
Thanks
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
--
Cats - delicious. You just do not know how to cook them.
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
if you want to proxy LDAP, why not use LDAP to do it?

http://www.openldap.org/doc/admin23/proxycache.html

Loading...