[squid-users] authenticate using ldap to AD for hostnames

From: Rolf Loudon <rolf@dont-contact.us>
Date: Wed, 19 Dec 2007 13:18:18 +1100

hi

I have used for many years auth for squid by looking up user/pass and
group membership against Active Directory.

I have found that I can place into AD groups, hostnames. The object
type of "computers" as AD describes it. querying the directory with
cn=<somehostname> returns the group as does cn=<somegroupname> return
that group's members.

I see that I can define an external ACL type and use %SRC, which is
the client ip. As the AD group contains hostnames, I'm trying to see
if I can write a simple helper that turns %SRC into a hostname and
perhaps in turn then calls squid_ldap_group to test the hostname value
for membership of a group, finally returning "OK" or "ERR" as
required. The end result is that if a certain hostname is in an AD
group then I can make acl decisions based on that.

But I'm not quite understanding enough. In particular the filter
specification to squid_ldap_group seems only to have the variables %u
and %g for username and group name and I don't see how to populate %u
in this context.

Is it the case that from

external_acl_type name %SRC /usr/lib/squid/squid_ldap_group ... -f
(&(cn=%u)(memberOf=%g)) ...

%u would equal %SRC ?

Any help much appreciated on how to do this, or another method to
achieve the same thing.

thanks

rolf.
Received on Tue Dec 18 2007 - 19:23:40 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:02 MST