Re: [squid-users] RE: ldap group from Christoph Haas on 2003-05-08 (squid-users)

From: Christoph Haas <email@dont-contact.us>
Date: Fri, 9 May 2003 01:19:05 +0200

Hi, Pedro...

> On Thursday 08 May 2003 15.51, Pedro Alte wrote:
> > The base DN is already the lowest : dc=domain,dc=com.
> > My filter is "(&(cn=%g)(member=cn=%u))", and the authentication
> > only works if I change it to
> > "(&(cn=%g)(member=cn=%u,ou=firstou,ou=secondou,dc=domain,dc=com))".
> > It seems that squid needs to know the members' exact location,
> > which I want to avoid, since I have users located in many different
> > OU's.

I know that problem well and just found a working solution today after
weeks of playing around. :) However we use Novell Netware instead of
ActiveDirectory.

On Thu, May 08, 2003 at 09:14:23PM +0200, Henrik Nordstrom wrote:
> Alternatively you can use a wildcard search like
> "(&(cn=%g)(member=cn=%u,*))"

This probably won't work. Wildcards are not allowed in member searches.
A stupid restriction though. At least this applies to Novell Netware and
OpenSSL. I assume this is also true for ActiveDirectory (or is there
anything that Microsoft does better than others?).

squid_ldap_group will only work if either all the person objects or all
the group objects are located under a single ou! In our case (Novell
Netware) we have person objects scattered all over different 'ou's.
However the groups are in a single ou. What we do is the reverse of what
you tried the following filter expression:

(&(objectclass=person)(cn=%v)(groupMembership=cn=%a,ou=groups,ou=proxy,o=org))

This will search for all persons (not groups) which have a common name
of %v and whose group membership is cn=%a,ou=groups,ou=proxy,o=org

I am not sure whether this will work for you. It is important that all
group memberships are accessible in the person object. Novell does it
that way.

I love this page for its good information on how to do LDAP queries:

http://www.sct.gu.edu.au/~anthony/info/apps/LDAP.hints

> In the dual search mode the helper first searches for the user as
> squid_ldap_auth does, and then uses the DN of the found user object in
> the group search filter. The group filter then becomes
> "(&(objectClass=GroupOfNames)(cn=%g)(member=%u))" which will then
> expand into
> "(&(objectClass=GroupOfNames)(cn=NameOfgroup)(member=cn=SomeUser,ou=Some_OU,dc=domain,dc=com))"
> when the %g and %u are filled in.

The dual search mode looks promising. I need to try that myself. Took me
a while to notice this is an important change from Squid 2.5.1 to Squid
2.5.2.

If this works for you, Pedro, then forget about my solution. ;)

Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--                3,41         All

Received on Thu May 08 2003 - 17:19:10 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:28 MST