Re: [squid-users] how to squid_ldap_match

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 19 Jul 2004 15:20:46 +0200 (CEST)

On Wed, 23 Jun 2004 lars.keller@basf-it-services.com wrote:

> i want to use squid_ldap_match Squid ist Version 2.5 Stable 3 to check in
> ADS groupmemberships of LDAP users. Must i first use squid_ldap_auth to
> check for the user, or can i use only squid_ldap_match?
> How must i do this?

You need both.

Note: squid_ldap_match is known by the name squid_ldap_group these days
and shipped with the Squid distribution.

> I need an configuration example.
>
> My squid.conf
>
> auth_param basic program /usr/sbin/squid_ldap_auth -p xxx -u cn -R -b
> ou=Users,ou=abc,ou=edf,dc=a,dc=b,dc=com -D
> cn=Squid,ou=Users,ou=abc,ou=edf,dc=a,dc=b,dc=com -W xxxxx -f
> "SamAccountName=%s" myADSserver

Looks OK.

You don't need the -u option in combination with -f, but it won't harm you
either.

> external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_match -B
> ou=Users,ou=abc,ou=edf,dc=a,dc=b,dc=com -F "SamAccountName=%S" -D cn=Squid
> ,ou=Users,ou=abc,ou=edf,dc=a,dc=b,dc=com -W xxxxx -b
> cn=xxxxx,ou=Groups,ou=abc,ou=edf,dc=a,dc=b,dc=com -f"(&(SamAccountName
> =%S)(member=%v))" -h myADSserver -p xxx

Also looks OK.

Both can be tested easily from the command line. squid_ldap_auth expects

username password

as input, and squid_ldap_group (or _match) expects

username group

as input.

> http_access allow Autorized
>
> http_access allow internetuser

This looks odd... first you allow access for all authenticated users, then
users belonging to the correct group. Most likely you should get rid of
the first http_access rule here.

Regards
Henrik
Received on Mon Jul 19 2004 - 07:20:48 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:02 MDT