Organisational units are not groups, they are subtrees in the LDAP
structure.
Groups is typically made of groupOfNames objects having a member
attribute listing the members of the group.
The easiest way to match organisational units is if the ou name is
kept in an attribute of the user object. In such case the filter
becomes
external_acl_type ldap_ou %LOGIN
/usr/local/squid/libexec/squid_ldap_group -d -P -b
dc=rusautogaz,dc=ru -f (&(uid=%v)(ou=%a)(objectClass=Person)) -h
172.16.6.1 -p 389
But it should also be possible to match on the dn such as in this
example:
external_acl_type ldap_ou %LOGIN
/usr/local/squid/libexec/squid_ldap_group -d -P -b
dc=rusautogaz,dc=ru -f
(&(dn=uid=%v,ou=%a,dc=rusautogaz,dc=ru)(objectClass=Person)) -h
172.16.6.1 -p 389
Regards
Henrik
On Thursday 27 March 2003 07.48, Mark wrote:
> Hi
> I have some problems configuring authentication of ldap users
> group. Authentication from squid_ldap_auth fine, but if I attempt
> add authentication with group - fail.
>
> dn: uid=sysadmin,ou=uit,dc=rusautogaz,dc=ru
> cn:: 0JrRgNC40YfQvNCw0YAg0JzQsNGA0Log0JzQuNGF0LDQudC70L7QstC40Yc=
>
> dn: ou=uit,dc=rusautogaz,dc=ru
> objectClass: top
> objectClass: organizationalUnit
> ou: uit
>
> -- squid.conf --
> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth
> -P -b dc=rusautogaz,dc=ru -D cn=Manager,dc=rusautogaz,dc=ru -w
> password -f (&(uid=%s)(description=active)) -h 172.16.6.1:389
>
> external_acl_type ldap_group %LOGIN
> /usr/local/squid/libexec/squid_ldap_group -d -P -b
> dc=rusautogaz,dc=ru -f
> (&(uid=%v)(member=%a)(objectClass=organizationalUnit)) -h
> 172.16.6.1 -p 389
>
> acl admin external ldap_group uit
>
> http_access allow admin
>
> -------------
>
> Anybody help me
Received on Thu Mar 27 2003 - 01:19:19 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:21 MST