On Sat, 12 Feb 2005, Adrian Malaguti wrote:
> They are using squid_ldap_auth and squid_ldap_group modules.
> It seems to be a problem with group membership attributes, the valiu for
> member attribute returned by both ldap servers are different.
> When querying to openldap it returns:
> # g_http_internet, poderjudicial, gub, uy
> dn: cn=g_http_internet, dc=poderjudicial,dc=gub,dc=uy
> objectClass: groupOfNames
> objectClass: top
> "member: cn=csomma"
This is not a correct member of a groupOfNames.. the member should be the
full DN of the member user, not just the CN.
> But when querying to eDir LDAP it returns:
> # g_http_internet, poderjudicial
> dn: cn=g_http_internet,o=poderjudicial
> objectClass: groupOfNames
> objectClass: Top
> "member: cn=csomma,ou=divTec,ou=dgsa,ou=scj,o=poderjudicial"
Looks good.
> This is the current configuration with openldap (which works fine), but
> doesn't work with eDir LDAP.
> #external_acl_type ldap_group_helper %LOGIN
> /usr/local/squid/libexec/squid_ldap_group -d -b
> "dc=poderjudicial,dc=gub,dc=uy" -B "dc=poderjudicial,dc=gub,dc=uy" -
> h localhost -f "(&(objectclass=groupOfNames)(cn=%a)(member=cn=%u))"
You need to use the -F flag to tell squid_ldap_group how to find the user
from the login name. Same as teh -f flag to squid_ldap_auth.
Note that the -f flag needs to be changed somewhat by removing any DN
components from the member attribute match (memeber=%u instead of
member=cn=%u).
For clarity I would recomment using %g instead of %a. Especially
considering you are already using %u for the user.. (initial version of
squid_ldap_group used %a/%v, current versions uses %g/%u but also supports
the older codes..)
Regards
Henrik
Received on Sun Feb 20 2005 - 07:52:31 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST