On Wed, 23 Jun 2004 lars.keller@basf-it-services.com wrote:
> i want to use squid_ldap_match Squid ist Version 2.5 Stable 3 to check in
> ADS groupmemberships of LDAP users. Must i first use squid_ldap_auth to
> check for the user, or can i use only squid_ldap_match?
> How must i do this?
You need both.
Note: squid_ldap_match is known by the name squid_ldap_group these days
and shipped with the Squid distribution.
> I need an configuration example.
>
> My squid.conf
>
> auth_param basic program /usr/sbin/squid_ldap_auth -p xxx -u cn -R -b
> ou=Users,ou=abc,ou=edf,dc=a,dc=b,dc=com -D
> cn=Squid,ou=Users,ou=abc,ou=edf,dc=a,dc=b,dc=com -W xxxxx -f
> "SamAccountName=%s" myADSserver
Looks OK.
You don't need the -u option in combination with -f, but it won't harm you
either.
> external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_match -B
> ou=Users,ou=abc,ou=edf,dc=a,dc=b,dc=com -F "SamAccountName=%S" -D cn=Squid
> ,ou=Users,ou=abc,ou=edf,dc=a,dc=b,dc=com -W xxxxx -b
> cn=xxxxx,ou=Groups,ou=abc,ou=edf,dc=a,dc=b,dc=com -f"(&(SamAccountName
> =%S)(member=%v))" -h myADSserver -p xxx
Also looks OK.
Both can be tested easily from the command line. squid_ldap_auth expects
username password
as input, and squid_ldap_group (or _match) expects
username group
as input.
> http_access allow Autorized
>
> http_access allow internetuser
This looks odd... first you allow access for all authenticated users, then
users belonging to the correct group. Most likely you should get rid of
the first http_access rule here.
Regards
Henrik
Received on Mon Jul 19 2004 - 07:20:48 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:02 MDT