[squid-users] Re: AW: [Group-ldap-auth-help] AD auth with squid 2.5

From: Daniel Barron <nettle@dont-contact.us>
Date: Fri, 31 Jan 2003 12:16:24 GMT

In message <0395948F1227D611910A00508B6DD72E27506E@debage69.bertelsmann.de> you wrote:

> .. you seem to forget one step. Please check your config with the following
> instructions:
>
>
> 1) pure authentication:
> define first::
> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b
> ou=sample,o=org -f cn=%s -h 192.168.1.1
> auth_param basic children 10
> auth_param basic realm mein super squid proxy
> auth_param basic credentialsttl 2 hours
> then define ACL :
> #
> # ACL for LDAP password check
> #
> acl password proxy_auth REQUIRED
>
> 2) map users to groups:
> define acl type first:
> external_acl_type ldap_group ttl=30 concurrency=10 %LOGIN
> /usr/local/squid/libexec/squid_ldap_group -f
> "(&(cn=%v)(groupmembership=%a))" -b ou=sample,o=org -h 192.168.1.1
> then define ACLs :
> acl movies external ldap_group cn=movies_group,ou=sample,o=org
> acl sounds external ldap_group cn=sounds_group,ou=sample,o=org

> .. hope this get`s you running...

Hi, thanks for the reply!

Yes I've got authentication working now but not groups. I wonder if you
mind helping further please? :)

Here are my settings to get auth to work:

auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b "cn=Users,dc=jadeb,dc=com" -u cn -h 192.168.254.23
acl dozeusers proxy_auth REQUIRED

This works with the user 'daniel' that I added to the main Users group.
From an export ldif file the group and user are:

dn: CN=daniel,CN=Users,DC=jadeb,DC=com
changetype: add
memberOf: CN=WebAccess,CN=Users,DC=jadeb,DC=com
accountExpires: 9223372036854775807
badPasswordTime: 126883606504573568
badPwdCount: 0
codePage: 0
cn: daniel
countryCode: 0
displayName: daniel
givenName: daniel
instanceType: 4
lastLogoff: 0
lastLogon: 126883606559552624
logonCount: 0
distinguishedName: CN=daniel,CN=Users,DC=jadeb,DC=com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=jadeb,DC=com
objectClass: user
objectGUID:: 6uPoOsJwRUGJH+TBDQf6Cw==
objectSid:: AQUAAAAAAAUVAAAAkuA8dyPz9mOKpzI/WwQAAA==
primaryGroupID: 513
pwdLastSet: 126883606012065376
name: daniel
sAMAccountName: daniel
sAMAccountType: 805306368
userAccountControl: 512
userPrincipalName: daniel@jadeb.com
uSNChanged: 5057
uSNCreated: 5048
whenChanged: 20030130003641.0Z
whenCreated: 20030129232101.0Z

dn: CN=WebAccess,CN=Users,DC=jadeb,DC=com
changetype: add
member: CN=daniel,CN=Users,DC=jadeb,DC=com
cn: WebAccess
groupType: -2147483646
instanceType: 4
distinguishedName: CN=WebAccess,CN=Users,DC=jadeb,DC=com
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=jadeb,DC=com
objectClass: group
objectGUID:: wAP1kGfxBUq5wtjtqutb5w==
objectSid:: AQUAAAAAAAUVAAAAkuA8dyPz9mOKpzI/WgQAAA==
name: WebAccess
sAMAccountName: WebAccess
sAMAccountType: 268435456
uSNChanged: 5126
uSNCreated: 5034
whenChanged: 20030130113942.0Z
whenCreated: 20030129170330.0Z

So you can see why I needed -b "cn=Users,dc=jadeb,dc=com" in that auth.

Now I am trying to test the group ldap by hand first as its much quicker than
lots of squid restarts.

This is what I am using:

./libexec/squid_ldap_group -b cn=Users,dc=jadeb,dc=com -f "(&(cn=%v)(groupmembership=%a))" -h 192.168.254.23
daniel cn=WebAccess,cn=Users,dc=jadeb,dc=com
ERR
daniel WebAccess
ERR

./libexec/squid_ldap_group -b cn=Users,dc=jadeb,dc=com -f "(&(dn=%v)(memberOf=%a))" -h 192.168.254.23
daniel cn=WebAccess,cn=Users,dc=jadeb,dc=com
ERR
daniel WebAccess
ERR

./libexec/squid_ldap_group -b cn=Users,dc=jadeb,dc=com -f "(&(dn=%v)(groupmembership=%a))" -h 192.168.254.23
daniel cn=WebAccess,cn=Users,dc=jadeb,dc=com
ERR
daniel WebAccess
ERR

./libexec/squid_ldap_group -b cn=Users,dc=jadeb,dc=com -f "(&(dn=%v)(memberOf=%a))" -h 192.168.254.23
daniel cn=WebAccess,cn=Users,dc=jadeb,dc=com
ERR
daniel WebAccess
ERR

I am sure its just a matter of working out the right filter and possibly
the base name, but I don't know what else to try. Perhaps you understand
ldap better and can point me in the right direct?

Thanks.

-- 
Daniel Barron
(Visit http://dansguardian.org/ - True web content filtering for all)
Received on Fri Jan 31 2003 - 05:16:33 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:01 MST