Re: [squid-users] Re: AW: [Group-ldap-auth-help] AD auth with squid 2.5

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 31 Jan 2003 14:32:38 +0100

This is a lot easier with the new version of the LDAP group helper
available in the current 2.5.STABLE nightly snapshots or from
http://marasystems.com/download/LDAP_Group/

But first you need to decide on what you want to match:

a) member attribute of the group objects

b) memberOf attribute of the user objects

I would recommend matching the member attribute of group objects.

Then I'd recommend experimenting a little with the ldapsearch command to
get familiar with the LDAP structure and search filters. It is a quite
healthy exercise and will make the job of constructing filters for
squid_ldap_group a lot easier..

Regards
Henrik

fre 2003-01-31 klockan 13.16 skrev Daniel Barron:
> In message <0395948F1227D611910A00508B6DD72E27506E@debage69.bertelsmann.de> you wrote:
>
> > .. you seem to forget one step. Please check your config with the following
> > instructions:
> >
> >
> > 1) pure authentication:
> > define first::
> > auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b
> > ou=sample,o=org -f cn=%s -h 192.168.1.1
> > auth_param basic children 10
> > auth_param basic realm mein super squid proxy
> > auth_param basic credentialsttl 2 hours
> > then define ACL :
> > #
> > # ACL for LDAP password check
> > #
> > acl password proxy_auth REQUIRED
> >
> > 2) map users to groups:
> > define acl type first:
> > external_acl_type ldap_group ttl=30 concurrency=10 %LOGIN
> > /usr/local/squid/libexec/squid_ldap_group -f
> > "(&(cn=%v)(groupmembership=%a))" -b ou=sample,o=org -h 192.168.1.1
> > then define ACLs :
> > acl movies external ldap_group cn=movies_group,ou=sample,o=org
> > acl sounds external ldap_group cn=sounds_group,ou=sample,o=org
>
> > .. hope this get`s you running...
>
>
> Hi, thanks for the reply!
>
> Yes I've got authentication working now but not groups. I wonder if you
> mind helping further please? :)
>
> Here are my settings to get auth to work:
>
> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b "cn=Users,dc=jadeb,dc=com" -u cn -h 192.168.254.23
> acl dozeusers proxy_auth REQUIRED
>
> This works with the user 'daniel' that I added to the main Users group.
> >From an export ldif file the group and user are:
>
>
> dn: CN=daniel,CN=Users,DC=jadeb,DC=com
> changetype: add
> memberOf: CN=WebAccess,CN=Users,DC=jadeb,DC=com
> accountExpires: 9223372036854775807
> badPasswordTime: 126883606504573568
> badPwdCount: 0
> codePage: 0
> cn: daniel
> countryCode: 0
> displayName: daniel
> givenName: daniel
> instanceType: 4
> lastLogoff: 0
> lastLogon: 126883606559552624
> logonCount: 0
> distinguishedName: CN=daniel,CN=Users,DC=jadeb,DC=com
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=jadeb,DC=com
> objectClass: user
> objectGUID:: 6uPoOsJwRUGJH+TBDQf6Cw==
> objectSid:: AQUAAAAAAAUVAAAAkuA8dyPz9mOKpzI/WwQAAA==
> primaryGroupID: 513
> pwdLastSet: 126883606012065376
> name: daniel
> sAMAccountName: daniel
> sAMAccountType: 805306368
> userAccountControl: 512
> userPrincipalName: daniel@jadeb.com
> uSNChanged: 5057
> uSNCreated: 5048
> whenChanged: 20030130003641.0Z
> whenCreated: 20030129232101.0Z
>
>
> dn: CN=WebAccess,CN=Users,DC=jadeb,DC=com
> changetype: add
> member: CN=daniel,CN=Users,DC=jadeb,DC=com
> cn: WebAccess
> groupType: -2147483646
> instanceType: 4
> distinguishedName: CN=WebAccess,CN=Users,DC=jadeb,DC=com
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=jadeb,DC=com
> objectClass: group
> objectGUID:: wAP1kGfxBUq5wtjtqutb5w==
> objectSid:: AQUAAAAAAAUVAAAAkuA8dyPz9mOKpzI/WgQAAA==
> name: WebAccess
> sAMAccountName: WebAccess
> sAMAccountType: 268435456
> uSNChanged: 5126
> uSNCreated: 5034
> whenChanged: 20030130113942.0Z
> whenCreated: 20030129170330.0Z
>
>
> So you can see why I needed -b "cn=Users,dc=jadeb,dc=com" in that auth.
>
> Now I am trying to test the group ldap by hand first as its much quicker than
> lots of squid restarts.
>
> This is what I am using:
>
> ./libexec/squid_ldap_group -b cn=Users,dc=jadeb,dc=com -f "(&(cn=%v)(groupmembership=%a))" -h 192.168.254.23
> daniel cn=WebAccess,cn=Users,dc=jadeb,dc=com
> ERR
> daniel WebAccess
> ERR
>
> ./libexec/squid_ldap_group -b cn=Users,dc=jadeb,dc=com -f "(&(dn=%v)(memberOf=%a))" -h 192.168.254.23
> daniel cn=WebAccess,cn=Users,dc=jadeb,dc=com
> ERR
> daniel WebAccess
> ERR
>
>
> ./libexec/squid_ldap_group -b cn=Users,dc=jadeb,dc=com -f "(&(dn=%v)(groupmembership=%a))" -h 192.168.254.23
> daniel cn=WebAccess,cn=Users,dc=jadeb,dc=com
> ERR
> daniel WebAccess
> ERR
>
>
> ./libexec/squid_ldap_group -b cn=Users,dc=jadeb,dc=com -f "(&(dn=%v)(memberOf=%a))" -h 192.168.254.23
> daniel cn=WebAccess,cn=Users,dc=jadeb,dc=com
> ERR
> daniel WebAccess
> ERR
>
>
> I am sure its just a matter of working out the right filter and possibly
> the base name, but I don't know what else to try. Perhaps you understand
> ldap better and can point me in the right direct?
>
> Thanks.

-- 
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden
Received on Fri Jan 31 2003 - 06:32:52 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:01 MST