[squid-users] Re: squid_ldap_auth an multiple organizations

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 19 Aug 2005 05:23:57 +0200 (CEST)

On Wed, 17 Aug 2005, Peter Stalling wrote:

> Hello,
> we are using squid_ldap_auth as authenticator for squid-proxy against
> novell eDir. Works fine in general. Now we had to setup a different
> organization-branch in eDir parallel to the existing one.
> It looks like this:
>
> Tree--
> |- o=old-context
> |- o=second-context
>
> Is there a chance to get squid_ldap_auth working by starting with a
> base-dn on tree-level? Normally, it will only recognize o=old-context as
> parameter or o=second-context as -b.

Not easily. LDAP only operates in a single root-DSE at a time..

> For example a standard ldap-browser like from softerra can browse from
> the top of a ldap-directory by reading the root-dse (dit).

Browsing is not a problem. the problem is how to perform efficient
searches when the search needs to cross more than one DSE. squid_ldap_auth
only persorms a single search and simply doesn't cross DSEs within the
search other than while chasing referrals.

> If this is already possible, what would be the correct syntax for
> calling squid_ldap_auth? If not, would it be a heavy deal, to enhance
> the source in order to do so? Maybe, you can give me a little hint.

I guess it could be extended to perform multiple searches (one per root).

> Nevertheless, I didn't know, wether it is o.k. to mail this directly to
> you. Please let me know, if this better should be posed on some
> newsgroup.

The preferred channel is the squid-users mailinglist, as noted in the
squid_ldap_auth manual. Discussion moved there.

Regards
Henrik
Received on Thu Aug 18 2005 - 21:24:00 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:02 MDT