Guest

Cisco 500 Series Content Engines

Configuring LDAP Authentication with Cisco Cache Engine 2.5.1 and Later

Cisco - Configuring LDAP Authentication with Cisco Cache Engine 2.5.1 and Later

Document ID: 4713

Updated: Jan 31, 2006

   Print

Introduction

This document provides a sample configuration for a Cisco Cache Engine. The configuration enables the Cache Engine to perform a standard Lightweight Directory Access Protocol (LDAP) database search to allow or restrict user access to web resources. For more information on any feature that this document reviews, see the Related Information

Related Cisco Support Community Discussions section.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco 500 Series Cache Engine that runs Cisco Cache Software Release 2.5.1 or later

  • Netscape Directory (LDAP) server and OpenLDAP Server

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Background Information

LDAP was invented to preserve the best qualities that X.500 offers but reduce the administrative costs. LDAP provides an open directory access protocol that runs over TCP/IP. LDAP retains the X.500 data model. The protocol is scalable to a global size and to millions of entries for a modest investment in hardware and network infrastructure. The result is a global directory solution that is so affordable that small organizations can use it, but it also can be scaled to support the largest of enterprises.

An LDAP-enabled Cache Engine/Content Engine (CE) authenticates users with an LDAP server. With an HTTP query, the CE obtains a set of credentials from the user, which includes the user ID and password. The CE then compares the credentials to the credentials in an LDAP server. When the CE authenticates a user through the LDAP server, the CE stores a record of that authentication locally in the CE RAM, within the authentication cache. As long as the CE keeps the authentication entry, subsequent attempts by that user to access restricted Internet content do not require LDAP server lookups. The default time period for retention of the authentication entry is 480 minutes. The minimum is 30 minutes, and the maximum is 1440 minutes, or 24 hours. This interval is the time between the last Internet access by the user and the removal of the user entry from the authorization cache. The removal forces reauthentication with the LDAP server.

The Cache Engine supports LDAP authentication for both proxy mode and transparent, or Web Cache Communication Protocol (WCCP), mode access. In proxy mode, the CE uses the client user ID as a key for the authentication database. While in transparent mode, the CE uses the client IP address as a key for the authentication database. The CE uses simple, nonencrypted authentication to communicate with the LDAP server.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Configuration

This document uses this configuration:

Cisco Cache Engine 550 (Cisco Cache Software Release 2.5.1)
hostname dioxin
!
interface ethernet 0
 ip address 172.17.241.49 255.255.255.0
 ip broadcast-address 172.17.241.255
 bandwidth 10
 halfduplex
 exit
!
interface ethernet 1
 exit
!
ip default-gateway 172.17.241.1
ip name-server 144.254.6.77
ip domain-name cisco.com
ip route 0.0.0.0 0.0.0.0 172.17.241.1
cron file /local/etc/crontab
lock timezone CET -7 0
!
no bypass load enable
http proxy incoming 8080
wccp router-list 1 172.17.241.214
wccp port-list 1 80 8080
wccp web-cache router-list-num 1
wccp version 2
no wccp slow-start enable
!
authentication login local enable
authentication configuration local enable


!--- Specify the LDAP server IP address and TCP port number.

ldap server host 172.17.241.217 port 389

!--- This is the base Distinguished Name (DN) of the start point 
!--- for the search in the LDAP database.
 
ldap server base dc=cisco, dc=com 

!--- This is the DN of the admin user.
 
ldap server administrative-dn uid=admin, ou=special users, dc=cisco, dc=com 

!--- This is the password for the admin user.
 
ldap server administrative-passwd **** 
proxy-protocols transparent original-proxy
rule no-cache url-regex .*cgi-bin.*
rule no-cache url-regex .*aw-cgi.*
!
!
end

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands

Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, refer to Important Information on Debug Commands.

debug https header trace

This is the get request that comes from the client.

dioxin# 

!--- These are the HTTP request headers that come from the client.

GET http://missile.cisco.com/ HTTP/1.0
If-Modified-Since: Wed, 01 Mar 2000 18:37:44 GMT; length=2511
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.76 [en] (Windows NT 5.0; U)
Pragma: no-cache
Host: missile.cisco.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Proxy-authorization: Basic YW1pa3VzOnd3

This is the request that is forwarded to the origin server after authentication of the user.

Http request headers sent to server:
GET / HTTP/1.0
User-Agent: Mozilla/4.76 [en] (Windows NT 5.0; U)
Pragma: no-cache
Host: missile.cisco.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
If-Modified-Since: Wed, 01 Mar 2000 18:37:44 GMT; length=2511
Connection: keep-alive
Via: 1.0 dioxin
X-Forwarded-For: 172.17.241.216

!--- This is the response that is received from the origin server.

Http response headers received from server:
HTTP/1.1 304 Not Modified
Date: Mon, 03 Sep 2001 17:55:22 GMT
Server: Apache/1.3.12 (Unix)  (Red Hat/Linux) PHP/3.0.15 mod_perl/1.21
Connection: Keep-Alive
Keep-Alive: timeout=15, max=100
ETag: "66-9cf-38bd6378"

This is the response that is forwarded to the client that makes the request:

Http response headers sent to client:
HTTP/1.1 304 Not Modified
Date: Mon, 03 Sep 2001 17:55:22 GMT
Server: Apache/1.3.12 (Unix)  (Red Hat/Linux) PHP/3.0.15 mod_perl/1.21
Keep-Alive: timeout=15, max=100
ETag: "66-9cf-38bd6378"
Proxy-Connection: keep-alive

debug ldap authcache all

This is the debug that shows the first request packet that triggers LDAP authentication.

dioxin#ACDaemon: running; 95% = 3800 85% = 3400
ACDaemon: Comparing 1904 > 28800
ACDaemon: freed 0 entries
ACEntry: Proxy Mode; nType=1

!--- The CE sends an authentication-required header to the client.

ACEntry: sending 407 to user - reason 104 
ACEntry: Proxy Mode, no REQ_FLAGS_PROXY_AUTH flag
ACEntry: Proxy Mode; nType=1

!--- The authentication is successful and there is
!--- an addition of the entry to the authentication cache.

ACEntry: added entry at key 1044 
ACEntry: Proxy Mode; nType=1

!--- Subsequent requests from the same client go through
!--- in the way that the CE has them in the authentication cache.

ACEntry: AuthCache Hit!!  
ACEntry: Proxy Mode; nType=1
ACEntry: AuthCache Hit!!
ACEntry: Proxy Mode; nType=1
ACEntry: AuthCache Hit!!
ACEntry: Proxy Mode; nType=1
ACEntry: AuthCache Hit!!

debug ldap server connect

This trace shows the CE communication with the LDAP server:

attempt to connect host at later time-serv=1,thread=0
attempt to connect host at later time-serv=1,thread=1
attempt to connect host at later time-serv=1,thread=2
attempt to connect host at later time-serv=1,thread=3
attempt to connect host at later time-serv=1,thread=4
ldap_open_server_on_timer--thread=4e8ac0,magic=dededada,server=1,thread_ind=0
ldap_open_server_on_timer--thread=4e8b20,magic=dededada,server=1,thread_ind=1
ldap_open_server_on_timer--thread=4e8b80,magic=dededada,server=1,thread_ind=2
ldap_open_server_on_timer--thread=4e8be0,magic=dededada,server=1,thread_ind=3
ldap_open_server_on_timer--thread=4e8c40,magic=dededada,server=1,thread_ind=4
ldap_open_server -server/thread = 1 / 0
ldap_open_server --thread=4e8ac0,magic=dededada,server=1,thread_ind=0
ldap found already initialized ld aa55a00
freeing old host for server 1
connecting new host 172.17.241.217 for server 1
ldap_connect : 
ldap_open_server -server/thread = 1 / 1
ldap_open_server --thread=4e8b20,magic=dededada,server=1,thread_ind=1
ldap found already initialized ld aa55600
freeing old host for server 1
connecting new host 172.17.241.217 for server 1
ldap_connect : 
ldap_open_server -server/thread = 1 / 2
ldap_open_server --thread=4e8b80,magic=dededada,server=1,thread_ind=2
ldap found already initialized ld ff9e800
freeing old host for server 1
connecting new host 172.17.241.217 for server 1
ldap_connect : 
ldap_open_server -server/thread = 1 / 3
ldap_open_server --thread=4e8be0,magic=dededada,server=1,thread_ind=3
ldap found already initialized ld aa55e00
freeing old host for server 1
connecting new host 172.17.241.217 for server 1
ldap_connect : 
ldap_open_server -server/thread = 1 / 4
ldap_open_server --thread=4e8c40,magic=dededada,server=1,thread_ind=4
ldap found already initialized ld aa55400
freeing old host for server 1
connecting new host 172.17.241.217 for server 1
ldap_connect : 
connected to new host(1) 172.17.241.217 for server 1
freed connection, request mutices 172.17.241.217 for server 1
connected to new host(1) 172.17.241.217 for server 1
freed connection, request mutices 172.17.241.217 for server 1
connected to new host(1) 172.17.241.217 for server 1
freed connection, request mutices 172.17.241.217 for server 1
connected to new host(1) 172.17.241.217 for server 1
freed connection, request mutices 172.17.241.217 for server 1
connected to new host(1) 172.17.241.217 for server 1
freed connection, request mutices 172.17.241.217 for server 1

debug ldap server trace

cfg_ldap_serv_host_cmd(): Begin
nsldapi_open_ldap_defconn
nsldapi_new_connection
nsldapi_open_ldap_connection
nsldapi_connect_to_host: 172.17.241.217:389
 connect with custom connect function-38701c
nsldapi_open_ldap_defconn
nsldapi_new_connection
nsldapi_open_ldap_connection
nsldapi_connect_to_host: 172.17.241.217:389
 connect with custom connect function-38701c
nsldapi_open_ldap_defconn
nsldapi_new_connection
nsldapi_open_ldap_connection
nsldapi_connect_to_host: 172.17.241.217:389
 connect with custom connect function-38701c
nsldapi_open_ldap_defconn
nsldapi_new_connection
nsldapi_open_ldap_connection
nsldapi_connect_to_host: 172.17.241.217:389
 connect with custom connect function-38701c
nsldapi_open_ldap_defconn
nsldapi_new_connection
nsldapi_open_ldap_connection
nsldapi_connect_to_host: 172.17.241.217:389
 connect with custom connect function-38701c
sd 672 connected to: 172.17.241.217
sd 673 connected to: 172.17.241.217
sd 674 connected to: 172.17.241.217
sd 675 connected to: 172.17.241.217
sd 676 connected to: 172.17.241.217

debug ldap server request / receive

This is a sample trace of a successful debug ldap server request / receive search:

ldap_ce_search_wrap - begin
ldap_ce_search_wrap - result 0 for uid smarsill
ldap_ce_search - uid = smarsill, time = 999512222
ldap_user_auth - uid = smarsill
Ldap Mgmt Auth Bind
ldap Admin dn=4e85cd
ldap_user_auth - mgmt bind result = 0
Ldap Bind - user smarsill
Search result = 0, ffa1f80
ldap_first_entry = ffa1f80
ldap dn=uid=smarsill,ou=tac-bru,dc=cisco,dc=com
Ldap Bind Success
ldap_ce_search - authentication succeeded - uid = smarsill, time=999512222

show ldap server

dioxin# show ldap server
show_ldap_serv_cmd(): Begin
LDAP Configuration:
------------------
LDAP Authentication is on
    Timeout                 = 5 seconds
    AuthTimeout             = 480 minutes
    Retransmit              = 3 
    UserID-Attribute        = uid 
    Filter                  =  
    Base DN                 = "dc=cisco, dc=com"
    Administrative DN       = "uid=admin, ou=special users, dc=cisco, dc=com"
    Administrative Password = **** 
    AllowMode               = DISABLED 
    ----------------------
    Servers
    -------
    
show_ldap_serv_cmd(): End
    IP 172.17.241.217, Port = 389, State: ENABLED

show ldap authcache

dioxin# show ldap authcache

      AuthCache 
===================== 
hash  1700 : uid: amikus nBkt: 0x0 nLRU: 0x0 pLRU: 0xb889c00 
             lacc: 999508731 ipAddr: d8f111ac keyTp: 1 
hash  1961 : uid: smarsill nBkt: 0x0 nLRU: 0xb889bc0 pLRU: 0x0 
             lacc: 999508484 ipAddr: c003fe90 keyTp: 1

Related Information

Updated: Jan 31, 2006
Document ID: 4713