Hello guys,
I'd like use LDAP groups to setup access right for users.
Current configuration:
===
auth_param basic program /usr/local/libexec/squid/squid_ldap_auth \
-b "ou=Users,dc=home" -v 3 localhost
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
external_acl_type ldap_group %LOGIN /usr/local/libexec/squid/squid_ldap_group \
-b "ou=Groups,dc=home" -f "(&(memberUid=%u)(cn=%g))" -v 3 localhost \
-D "cn=Guest,ou=DSA,dc=home" -w xxx
[skipped]
acl CONNECT method CONNECT
acl ldap_unlim external ldap_group squid-unlim
[skipped]
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow ldap_unlim
http_access deny all
===
LDAP group:
$ ldapsearch -LLL -s sub -b "ou=Groups,dc=home" -D "cn=Guest,ou=DSA,dc=home" -w xxx "(&(memberUid=sak)(cn=squid-unlim))"
dn: cn=squid-unlim,ou=Groups,dc=home
objectClass: top
objectClass: posixGroup
cn: squid-unlim
gidNumber: 2001
memberUid: sak
squid_ldap_group looks working:
# /usr/local/libexec/squid/squid_ldap_group -h 127.0.0.1 -b "ou=Groups,dc=home" -f "(&(memberUid=%u)(cn=%g))" -D "cn=Guest,ou=DSA,dc=home" -w xxx -v 3 -d
sak squid-unlim
Connected OK
group filter '(&(memberUid=sak)(cn=squid-unlim))', searchbase 'ou=Groups,dc=home'
OK
but when I try access Internet site, I get:
The following error was encountered:
Access Denied.
Access control configuration prevents your request from being allowed
at this time. Please contact your service provider if you feel this is
incorrect.
In slapd.log:
May 1 14:00:28 pixel slapd[744]: conn=255 fd=21 ACCEPT from IP=127.0.0.1:51366 (IP=127.0.0.1:389)
May 1 14:00:28 pixel slapd[744]: conn=255 op=0 BIND dn="uid=sak,ou=Users,dc=home" method=128
May 1 14:00:28 pixel slapd[744]: conn=255 op=0 BIND dn="uid=sak,ou=Users,dc=home" mech=SIMPLE ssf=0
May 1 14:00:28 pixel slapd[744]: conn=255 op=0 RESULT tag=97 err=0 text=
May 1 14:00:28 pixel slapd[744]: conn=255 op=1 UNBIND
May 1 14:00:28 pixel slapd[744]: conn=255 fd=21 closed
May 1 14:00:28 pixel slapd[744]: conn=256 fd=21 ACCEPT from IP=127.0.0.1:50849 (IP=127.0.0.1:389)
May 1 14:00:28 pixel slapd[744]: conn=256 op=0 SRCH base="ou=Groups,dc=home" scope=2 deref=0 filter="(&(memberUid=sak)(cn=squid-unlim))"
May 1 14:00:28 pixel slapd[744]: conn=256 op=0 SRCH attr=1.1
May 1 14:00:28 pixel slapd[744]: conn=256 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
May 1 14:00:28 pixel slapd[744]: conn=256 op=1 UNBIND
May 1 14:00:28 pixel slapd[744]: conn=256 fd=21 closed
# squid -v
Squid Cache: Version 2.6.STABLE12
Where am I wrong?
Thanks for any help.
-- Best regards, Sergey mailto:ksa@uaic.netReceived on Tue May 01 2007 - 05:09:13 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT