# Squid_ldap_auth + AD2008 - Error



## cybercoke (Nov 9, 2009)

:stud
Hi guys, 

i'm trying to make an integration of proxy server (free bsd 7.1) with AD (Windows 2008 Server) to make them talk about users that are created in AD. I'm using squid_ldap_auth helper but when some user try to autenticate in browser, the followind error appers in cache.log:

"squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact LDAP server'"

The log shows no error on initializing squid.

The command line in the squid.conf is:

```
auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=xxx,dc=com,dc=br" -D 
"cn=Controle.Internet,ou=Internet,dc=xxx,dc=com,dc=br" -w "123456" -f sAMAccountName=%s -h 192.168.200.4
auth_param basic children 5
auth_param basic realm Proxy - Usuario e Senha
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
```
Where "xxx" is the domain example.

Plese, help.
Thank's a lot.


----------



## pacija (Jan 25, 2010)

Uhm, it would be very long to give you complete instruction here, but here are a few guidelines, then ask further if you have some more specific questions.

First of all you need net/samba33 compiled with ads, ldap and winbind support, and join your proxy to a domain. This explains it:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member

You will need to create /etc/krb5.conf

```
[libdefaults]
default_realm = YOURDOMAIN.ORG
[domain_realm]
.yourdomain.org = YOURDOMAIN.ORG
[realms]
YOURDOMAIN.ORG = {
kdc = domaincontroller.yourdomain.org
}
[logging]
kdc = FILE:/var/heimdal/kdc.log
```

And also to edit /usr/local/etc/smb.conf

```
[global]
workgroup = YOURDOMAIN
netbios name = THISHOSTNAME
server string = SomeShortDescription
realm = YOURDOMAIN.ORG
security = ADS
password server = domaincontroller.yourdomain.org
idmap gid = 10000-20000
idmap uid = 10000-20000
winbind refresh tickets = yes
winbind use default domain = yes
```

Then you need to update your /etc/rc.conf with samba_enable="YES" and winbindd_enable="YES", and to start the services with /usr/local/etc/rc.d/samba start

Next, you need to join domain by issuing (as root):

```
root# net ads join -U administrator -S domaincontroller.yourdomain.org
```
and type password of AD admin when prompted. If everything worked fine you will see freshly joined computer in your AD users and computers list. On BSD box, you will know that everything worked well if commands 'wbinfo -u' and 'wbinfo -g' return users and groups in your AD.

Uhm, i got tired :/
If anyone reads this please ask for more, i will explain further in next post...


----------



## cybercoke (Feb 1, 2010)

Tkx for it ! At the moment i'm using a simple way to autenticate users on bsd box. I 'll try this solution in a fresh new box. 

tkx again!


----------



## chavez243ca (Nov 26, 2010)

Try to follow these instructions to the letter, but find that Samba34 make is failing b.c. KRB5 is missing AD support.  Anyone familiar with this issue?


n/m

using KRB5_HOME=/usr/local seems to have done the trick


----------

