[squid-users] squid_ldap_group problem

From: <lists@dont-contact.us>
Date: Sat, 03 Apr 2004 23:17:33 +0200

hi,

the relevant parts of my squid.conf look like this:

----
auth_param basic program /usr/lib/squid/ldap_auth -b 
ou=people,dc=mhcsoftware,dc=de localhost
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type ldap %LOGIN /usr/lib/squid/squid_ldap_group
-b "ou=groups,dc=mhcsoftware,dc=de"
-f "(&(memberUid=%v)(cn=%a)(objectClass=posixGroup))"
-B "ou=people,dc=mhcsoftware,dc=de"
-F "(uid=%s)"
acl ldapauth proxy_auth REQUIRED
acl ldapGauth external ldap squid
http_access allow ldapGauth
----
i found no other way then using ladap_auth in addition to squid_ldap_group 
to get the auth request in the browser. if ther is a better way, please let 
me know.
when i change to "http_access allow ldapauth" all users with a vaild 
password can use squid. but what i want is that ony users with a vaild 
password in the group squid can use squid. so i hit "squid_ldap_group".
wiht the conifg above auth fails. when i have a look at the ldap log i see:
Apr  3 15:50:30 server slapd[20926]: conn=31 op=0 BIND 
dn="uid=test,ou=people,dc=mhcsoftware,dc=de" method=128
Apr  3 15:50:30 server slapd[20926]: conn=31 op=0 BIND 
dn="uid=test,ou=people,dc=mhcsoftware,dc=de" mech=simple ssf=0
so, ldap_auth login is OK. then squid_ldap_group look up the user:
Apr  3 15:50:30 server slapd[20926]: conn=32 op=0 SRCH 
base="ou=people,dc=mhcsoftware,dc=de" scope=2 filter="(uid=test)"
this seems to work, as i can do a correspoing ldapsearch without any 
problem. then it tries the goup lookup:
Apr  3 15:50:30 server slapd[20926]: conn=32 op=1 SRCH 
base="ou=groups,dc=mhcsoftware,dc=de" scope=2 
filter="(&(memberUid=uid=test,ou=people,dc=mhcsoftware,dc=de)(cn=squid)(obj
ectClass=posixGroup))"
and i think thats the problem. when i try this as a ldapsearch i get no 
result. but when i seach for:
(&(memberUid=test)(cn=squid)(objectClass=posixGroup))
i get the expected result. well and that filter is what i would expect when 
i look at my "squid_ldap_group" commandline. i do not understand why it 
users "memberUid=uid=test,ou=people,dc=mhcsoftware,dc=de" in sead of whats 
configured on the command line: "memberUid=test" i found no way to get it 
to use the correct filter. my ldap goup looks like this:
ldapsearch -LLL -x  -b "cn=squid,ou=groups,dc=mhcsoftware,dc=de" -h 
localhost "(objectclass=*)"
dn: cn=squid,ou=groups,dc=mhcsoftware,dc=de
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: squid
gidNumber: 10001
description: Squid User
sambaSID: S-1-5-21-2058215362-2546287647-786178489-21003
sambaGroupType: 2
displayName: Squid User
memberUid: test
any help wold be nic.
btw: i'my pretty new to ldap, i use <http://lam.sourceforge.net/> to manage 
accounts etc.
TIA
matthias
-- 
Matthias Henze                matthias@mhcsoftware.de
Use PGP!! http://www.mhcsoftware.de/MatthiasHenze.asc
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
MHC SoftWare GmbH          voice: +49-(0)9533-92006-0
Fichtera 17                  fax: +49-(0)9533-92006-6
96274 Itzgrund/Germany    e-Mail: info@mhcsoftware.de
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Received on Sat Apr 03 2004 - 07:17:12 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:01 MDT