RE: [squid-users] Help Please : NT Domain name stripping in squid_ldap_group

Hi Chris,

Thanks for the feedback I have added values %u and %g as per below and authentication is working when using the username and password but still fails when using domain\username and password, ie still does not seem to be stripping the domain name when I look at the access log file even though the -S option is added.

external_acl_type InetGroup ttl=60 %LOGIN /usr/lib64/squid/squid_ldap_group -S -R -b "dc=domnet,dc=bbd,dc=co,dc=za" -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f "(&(objectclass=person)(sAMAccountName=%u) (memberof=cn=%g,ou=SquidUsers,dc=domnet,dc=bbd,dc=co,dc=za))" -h 10.3.1.216

Any ideas, is this possible?

Thanks,
Clayton York

-----Original Message-----
From: Chris Robertson [mailto:crobertson_at_gci.net]
Sent: Friday, July 10, 2009 9:13 PM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Help Please : NT Domain name stripping in squid_ldap_group

Clayton York wrote:
> Hi All,
>
>
> I am a newbie to Linux and squid and require some assistance please.
>
> I am running a server on CENTOS release 5.2 (Final), and have configured squid (2.6.STABLE21-3) for ldap group authentication with Active Directory.
> I have seen in the man page for the squid_ldap_group there is an -S option to strip the NT domain name from the username. I have added the -S to our squid.conf file, squid_ldap_group section however this does not seem to strip the domain name as from the access.log file I can see that squid still passes the domain\username through to AD which then fails.
>
> Please find my squid authentication configuration below.
>
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=domnet,dc=bbd,dc=co,dc=za" -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f sAMAccountName=%s -h 10.3.1.216
> auth_param basic children 5
> auth_param basic realm Your Organisation Name
> auth_param basic credentialsttl 1 hour
>
>
> external_acl_type InetGroup ttl=60 %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "dc=domnet,dc=bbd,dc=co,dc=za" -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,ou=SquidUsers,dc=bbdnet,dc=bbd,dc=co,dc=za))" -S -h 10.3.1.216
>

You are using %v and %a in the search filter, but the man page reads...

      -f filter
              LDAP search filter used to search the LDAP directory
for any
              matching group memberships. In the filter %u will be
replaced
              by the user name (or DN if the -F or -u options are used)
and %g
              by the requested group name.

>
> acl InetAccess external InetGroup SquidUsersAllow
>
>
> Please if anyone has any insight into what I might be missing please let me know.
>
>
> Thank you,
>
> Clayton York
>

Chris
Received on Wed Jul 15 2009 - 09:07:39 MDT