网络应用服务 : 思科 500 系列内容引擎

使用Cisco Cache Engine 2.5.1和更高版配置LDAP认证

2016 年 10 月 24 日 - 机器翻译
其他版本: PDFpdf | 英语 (2016 年 4 月 21 日) | 反馈


目录


简介

本文为Cisco缓存引擎提供一配置示例。配置使Cache Engine执行标准的轻量级目录访问协议(LDAP)数据库查寻允许或限制对Web资源的用户访问。关于此本文探讨了,参见“相关信息”部分的任何功能的更多信息。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • 运行Cisco Cache软件版本2.5.1或以上的Cisco 500系列Cache引擎

  • Netscape目录(LDAP)服务器和OpenLDAP服务器

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

背景信息

LDAP被发明保留X.500提供,但是降低管理开销的最好的质量。LDAP提供运行TCP/IP的一个开放目录访问协议。LDAP保留X.500数据模型。协议是可扩展对一个全局大小和对一次普通的投资的数百万条目在硬件和网络基础设施。结果是很价格合理的全球目录解决方案小组织能使用它,但是可以也被扩展支持最大企业。ï ¿  ½

一支持LDAP的Cache Engine/内容引擎(CE)验证用户用LDAP服务器。使用HTTP查询, CE从用户获取一套凭证,包括用户ID和密码。CE与在LDAP服务器的凭证然后比较凭证。当CE通过LDAP服务器时验证用户, CE在CE RAM存储该验证记录本地,在验证缓存内。只要CE保持验证条目,由该用户的随后的尝试访问限制互联网内容不要求LDAP服务器查找。验证条目的挽留的默认时间时间期是480分钟。最低是30分钟,并且最大数量是1440分钟或者24个小时。此间隔是最后互联网访问由用户和用户输入的删除的之间时间从授权缓存。删除强制重新验证用LDAP服务器。

Cache Engine支持代理模式的LDAP认证和透明或者WEB缓存通信协议(WCCP),模式访问。在代理模式, CE使用客户端用户ID作为密钥身份验证数据库。当在透明模式, CE使用客户端IP地址作为密钥身份验证数据库时。CE使用简单,非加密的验证与LDAP服务器联络。

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 要查找本文档所用命令的其他信息,请使用命令查找工具仅限注册用户)。

配置

本文档使用以下配置:

Cisco Cache Engine 550 (Cisco Cache软件版本2.5.1)
hostname dioxin
!
interface ethernet 0
�ip address 172.17.241.49 255.255.255.0
�ip broadcast-address 172.17.241.255
�bandwidth 10
�halfduplex
�exit
!
interface ethernet 1
�exit
!
ip default-gateway 172.17.241.1
ip name-server 144.254.6.77
ip domain-name cisco.com
ip route 0.0.0.0 0.0.0.0 172.17.241.1
cron file /local/etc/crontab
lock timezone CET -7 0
!
no bypass load enable
http proxy incoming 8080
wccp router-list 1 172.17.241.214
wccp port-list 1 80 8080
wccp web-cache router-list-num 1
wccp version 2
no wccp slow-start enable
!
authentication login local enable
authentication configuration local enable


!--- Specify the LDAP server IP address and TCP port number.

ldap server host 172.17.241.217 port 389

!--- This is the base Distinguished Name (DN) of the start point 
!--- for the search in the LDAP database.
�
ldap server base dc=cisco, dc=com�

!--- This is the DN of the admin user.
�
ldap server administrative-dn uid=admin, ou=special users, dc=cisco, dc=com�

!--- This is the password for the admin user.
�
ldap server administrative-passwd ****�
proxy-protocols transparent original-proxy
rule no-cache url-regex .*cgi-bin.*
rule no-cache url-regex .*aw-cgi.*
!
!
end

验证

当前没有可用于此配置的验证过程。

故障排除

本部分提供的信息可用于对配置进行故障排除。

故障排除命令

命令输出解释程序工具仅限注册用户)支持某些 show 命令,使用此工具可以查看对 show 命令输出的分析。

注意: 在发出 debug 命令之前,请参阅有关 Debug 命令的重要信息

debug https header trace

这是来自客户端的获得请求。

dioxin# 

!--- These are the HTTP request headers that come from the client.

GET http://missile.cisco.com/ HTTP/1.0
If-Modified-Since: Wed, 01 Mar 2000 18:37:44 GMT; length=2511
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.76 [en] (Windows NT 5.0; U)
Pragma: no-cache
Host: missile.cisco.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Proxy-authorization: Basic YW1pa3VzOnd3

这是转发到源服务器在用户的验证以后的请求。

Http request headers sent to server:
GET / HTTP/1.0
User-Agent: Mozilla/4.76 [en] (Windows NT 5.0; U)
Pragma: no-cache
Host: missile.cisco.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
If-Modified-Since: Wed, 01 Mar 2000 18:37:44 GMT; length=2511
Connection: keep-alive
Via: 1.0 dioxin
X-Forwarded-For: 172.17.241.216

!--- This is the response that is received from the origin server.

Http response headers received from server:
HTTP/1.1 304 Not Modified
Date: Mon, 03 Sep 2001 17:55:22 GMT
Server: Apache/1.3.12 (Unix)� (Red Hat/Linux) PHP/3.0.15 mod_perl/1.21
Connection: Keep-Alive
Keep-Alive: timeout=15, max=100
ETag: "66-9cf-38bd6378"

这是转发给客户端做请求的答复:

Http response headers sent to client:
HTTP/1.1 304 Not Modified
Date: Mon, 03 Sep 2001 17:55:22 GMT
Server: Apache/1.3.12 (Unix)� (Red Hat/Linux) PHP/3.0.15 mod_perl/1.21
Keep-Alive: timeout=15, max=100
ETag: "66-9cf-38bd6378"
Proxy-Connection: keep-alive

debug ldap authcache all

这是显示第一请求包该触发LDAP认证的调试

dioxin#ACDaemon: running; 95% = 3800 85% = 3400
ACDaemon: Comparing 1904 > 28800
ACDaemon: freed 0 entries
ACEntry: Proxy Mode; nType=1

!--- The CE sends an authentication-required header to the client.

ACEntry: sending 407 to user - reason 104 
ACEntry: Proxy Mode, no REQ_FLAGS_PROXY_AUTH flag
ACEntry: Proxy Mode; nType=1

!--- The authentication is successful and there is
!--- an addition of the entry to the authentication cache.

ACEntry: added entry at key 1044 
ACEntry: Proxy Mode; nType=1

!--- Subsequent requests from the same client go through
!--- in the way that the CE has them in the authentication cache.

ACEntry: AuthCache Hit!!� 
ACEntry: Proxy Mode; nType=1
ACEntry: AuthCache Hit!!
ACEntry: Proxy Mode; nType=1
ACEntry: AuthCache Hit!!
ACEntry: Proxy Mode; nType=1
ACEntry: AuthCache Hit!!

debug ldap server connect

此trace显示CE通信用LDAP服务器:

attempt to connect host at later time-serv=1,thread=0
attempt to connect host at later time-serv=1,thread=1
attempt to connect host at later time-serv=1,thread=2
attempt to connect host at later time-serv=1,thread=3
attempt to connect host at later time-serv=1,thread=4
ldap_open_server_on_timer--thread=4e8ac0,magic=dededada,server=1,thread_ind=0
ldap_open_server_on_timer--thread=4e8b20,magic=dededada,server=1,thread_ind=1
ldap_open_server_on_timer--thread=4e8b80,magic=dededada,server=1,thread_ind=2
ldap_open_server_on_timer--thread=4e8be0,magic=dededada,server=1,thread_ind=3
ldap_open_server_on_timer--thread=4e8c40,magic=dededada,server=1,thread_ind=4
ldap_open_server -server/thread = 1 / 0
ldap_open_server --thread=4e8ac0,magic=dededada,server=1,thread_ind=0
ldap found already initialized ld aa55a00
freeing old host for server 1
connecting new host 172.17.241.217 for server 1
ldap_connect :�
ldap_open_server -server/thread = 1 / 1
ldap_open_server --thread=4e8b20,magic=dededada,server=1,thread_ind=1
ldap found already initialized ld aa55600
freeing old host for server 1
connecting new host 172.17.241.217 for server 1
ldap_connect :�
ldap_open_server -server/thread = 1 / 2
ldap_open_server --thread=4e8b80,magic=dededada,server=1,thread_ind=2
ldap found already initialized ld ff9e800
freeing old host for server 1
connecting new host 172.17.241.217 for server 1
ldap_connect :�
ldap_open_server -server/thread = 1 / 3
ldap_open_server --thread=4e8be0,magic=dededada,server=1,thread_ind=3
ldap found already initialized ld aa55e00
freeing old host for server 1
connecting new host 172.17.241.217 for server 1
ldap_connect :�
ldap_open_server -server/thread = 1 / 4
ldap_open_server --thread=4e8c40,magic=dededada,server=1,thread_ind=4
ldap found already initialized ld aa55400
freeing old host for server 1
connecting new host 172.17.241.217 for server 1
ldap_connect :�
connected to new host(1) 172.17.241.217 for server 1
freed connection, request mutices 172.17.241.217 for server 1
connected to new host(1) 172.17.241.217 for server 1
freed connection, request mutices 172.17.241.217 for server 1
connected to new host(1) 172.17.241.217 for server 1
freed connection, request mutices 172.17.241.217 for server 1
connected to new host(1) 172.17.241.217 for server 1
freed connection, request mutices 172.17.241.217 for server 1
connected to new host(1) 172.17.241.217 for server 1
freed connection, request mutices 172.17.241.217 for server 1

debug ldap server trace

cfg_ldap_serv_host_cmd(): Begin
nsldapi_open_ldap_defconn
nsldapi_new_connection
nsldapi_open_ldap_connection
nsldapi_connect_to_host: 172.17.241.217:389
�connect with custom connect function-38701c
nsldapi_open_ldap_defconn
nsldapi_new_connection
nsldapi_open_ldap_connection
nsldapi_connect_to_host: 172.17.241.217:389
�connect with custom connect function-38701c
nsldapi_open_ldap_defconn
nsldapi_new_connection
nsldapi_open_ldap_connection
nsldapi_connect_to_host: 172.17.241.217:389
�connect with custom connect function-38701c
nsldapi_open_ldap_defconn
nsldapi_new_connection
nsldapi_open_ldap_connection
nsldapi_connect_to_host: 172.17.241.217:389
�connect with custom connect function-38701c
nsldapi_open_ldap_defconn
nsldapi_new_connection
nsldapi_open_ldap_connection
nsldapi_connect_to_host: 172.17.241.217:389
�connect with custom connect function-38701c
sd 672 connected to: 172.17.241.217
sd 673 connected to: 172.17.241.217
sd 674 connected to: 172.17.241.217
sd 675 connected to: 172.17.241.217
sd 676 connected to: 172.17.241.217

debug ldap server request / receive

这是一成功的debug ldap server request/receive搜索的示例trace :

ldap_ce_search_wrap - begin
ldap_ce_search_wrap - result 0 for uid smarsill
ldap_ce_search - uid = smarsill, time = 999512222
ldap_user_auth - uid = smarsill
Ldap Mgmt Auth Bind
ldap Admin dn=4e85cd
ldap_user_auth - mgmt bind result = 0
Ldap Bind - user smarsill
Search result = 0, ffa1f80
ldap_first_entry = ffa1f80
ldap dn=uid=smarsill,ou=tac-bru,dc=cisco,dc=com
Ldap Bind Success
ldap_ce_search - authentication succeeded - uid = smarsill, time=999512222

show ldap server

dioxin# show ldap server
show_ldap_serv_cmd(): Begin
LDAP Configuration:
------------------
LDAP Authentication is on
��� Timeout���������������� = 5 seconds
��� AuthTimeout������������ = 480 minutes
��� Retransmit������������� = 3�
��� UserID-Attribute������� = uid�
��� Filter����������������� =��
��� Base DN���������������� = "dc=cisco, dc=com"
��� Administrative DN������ = "uid=admin, ou=special users, dc=cisco, dc=com"
��� Administrative Password = ****�
��� AllowMode�������������� = DISABLED�
��� ----------------------
��� Servers
��� -------
����
show_ldap_serv_cmd(): End
��� IP 172.17.241.217, Port = 389, State: ENABLED

show ldap authcache

dioxin# show ldap authcache

����� AuthCache 
===================== 
hash� 1700 : uid: amikus nBkt: 0x0 nLRU: 0x0 pLRU: 0xb889c00 
������������ lacc: 999508731 ipAddr: d8f111ac keyTp: 1 
hash� 1961 : uid: smarsill nBkt: 0x0 nLRU: 0xb889bc0 pLRU: 0x0 
������������ lacc: 999508484 ipAddr: c003fe90 keyTp: 1

相关信息


Document ID: 4713