Hi,
I'm seeking some Squid or ldap guru help !
we are working in a customer site trying to configure Squid
authentication to eDirectory LDAP using groups membership.
Current implementation is working fine with openldap, but when we try
eDirectory LDAP it fails.
They are using squid_ldap_auth and squid_ldap_group modules.
It seems to be a problem with group membership attributes, the valiu for
member attribute returned by both ldap servers are different.
When querying to openldap it returns:
# g_http_internet, poderjudicial, gub, uy
dn: cn=g_http_internet, dc=poderjudicial,dc=gub,dc=uy
objectClass: groupOfNames
objectClass: top
"member: cn=csomma"
But when querying to eDir LDAP it returns:
# g_http_internet, poderjudicial
dn: cn=g_http_internet,o=poderjudicial
objectClass: groupOfNames
objectClass: Top
"member: cn=csomma,ou=divTec,ou=dgsa,ou=scj,o=poderjudicial"
This is the current configuration with openldap (which works fine), but
doesn't work with eDir LDAP.
#external_acl_type ldap_group_helper %LOGIN
/usr/local/squid/libexec/squid_ldap_group -d -b
"dc=poderjudicial,dc=gub,dc=uy" -B "dc=poderjudicial,dc=gub,dc=uy" -
h localhost -f "(&(objectclass=groupOfNames)(cn=%a)(member=cn=%u))"
Forcing member= full distinguised name, it works, but here the problem
is with sublevels contexts under o=poderjudicial.
external_acl_type ldap_group_helper %LOGIN
/usr/local/squid/libexec/squid_ldap_g
roup -d -b "o=poderjudicial" -B "o=poderjudicial" -s sub -h 10.0.3.61 -f
"(&(obj
ectclass=groupOfNames)(cn=%a)(member=cn=%u,o=poderjudicial))"
Is there a way to put something in the filter like member=fdn, or
member=%u*, we tried with -F also but it doesn't work.
Or setting the filter to match the full distinguished name ?
Thanks !!
Adrian.
Received on Sat Feb 12 2005 - 06:18:06 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST