On Fri, 4 Feb 2005, cipher wrote:
> external_acl_type ldap_group ttl=120 negative_ttl=120
> %LOGIN /usr/local/squid/libexec/squid_ldap_group -b
> ou=squid
> ,o=domain.int -f "(&(uid=%v)(memberUid=%g))" -B
> ou=People,o=domain.int -F "uid=%s" -S -R -D uid=prox
> y,ou=squid,o=dmain.int -w proxy-binder -h localhost
> [...]
> dn: cn=proxy-allow,ou=squid, o=domain.int
> gidNumber: 600
> memberUid: test-user
> objectClass: posixGroup
> objectClass: top
> cn: proxy-allow
Ok, so your LDAP groups is defined with
cn = group name
memberUid = login name (NOT DN) being member of the group
In squid_ldap_group terms this becomes
-f "(&(cn=%g)(memberUid=%u))"
and you should NOT use a -F flag to translate the login names to DN..
Normally in LDAP groups use the member attribute, listing full DNs of the
users being members of the group, not just login names (uid), but thanks
to it's flexible design squid_ldap_group doesn't really care and handles
both nicely. at the cost of requiring careful configuration to match your
directory design.
Regards
Henrik
Received on Fri Feb 04 2005 - 16:22:57 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST