[squid-users] Antwort: Re: [squid-users] proxy auth using AD

Hi Mike,

you have to connect to the LDAP server on port 3268 instead of the default
port 389 (-h) and change the basedn where to search for the accounts (-b)
to "dc=domain,dc=com".

It should look like:

auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b
"dc=domain,dc=com" -D "cn=-LDAP-Read
Account,ou=Users,dc=a,dc=domain,dc=com"
-w bindpassword -f sAMAccountName=%s -h 1.2.3.4:3268

instead of

auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b
"ou=Company Users,dc=a,dc=domain,dc=com" -D COMPANY\\binduser -w
bindpassword -f sAMAccountName=%s -h 1.2.3.4

It will/should find any user in any container of the domains.
The trusts are needed as well, but you already told that they are
configured.
The different syntax for the binddn (-D) should not be relevant.

Best regards,
Martin

Mike Barnard <mike.barnardq_at_gmail.com>
13.01.2010 07:14

An
Tom Tux <tomtux80_at_gmail.com>, squid-users_at_squid-cache.org
Kopie

Thema
Re: [squid-users] proxy auth using AD

forgot to cc the list...

Hi

> Perhaps you can use a domain-trust between a.domain.com and
b.domain.com?
>

There is a trust between the two domains, but the OU structure is
different. a.domain.com has

OU=Sections
OU=Department
OU=Office Location
OU=Organisation Name

and the users in the different sections.

b.domain.com has

OU=Users
OU=Groups

If I were to query the AD that is master for a.domain.com, I will not
get any results about anyone in b.domain.com since the structure is
different.

At the moment, a.domain.com trusts b.domain.com. Unless I am missing
something here, if the OU structure differs, even if there is a trust,
getting a user on b.domain.com will need a query different from
a.domain.com.

-- 
Mike
Of course, you might discount this possibility, but remember that one in
a million chances happen 99% of the time.
------------------------------------------------------------