Re: [squid-users] Squid_ldap_group

From: Jack <[email protected]>
Date: Sat, 26 Oct 2002 12:08:29 +0530

Hello Henrik,

I found out the problem. Now its working fine.

Thanks for your help.

Regards
Jack

> Hello Henrik,
>
> Sorry i did not notice the cache.log
>
> I found a message in cache.log as
>
> 2002/10/26 09:20:34| helperOpenServers: Starting 5 'squid_ldap_auth'
> processes
> 2002/10/26 09:20:34| helperOpenServers: Starting 5 'squid_ldap_group'
> processes
> 2002/10/26 09:20:34| ipcCreate: /usr/local/squid/libexec/squid_ldap_group:
> (2) No such file or directory
> 2002/10/26 09:20:34| ipcCreate: /usr/local/squid/libexec/squid_ldap_group:
> (2) No such file or directory
> 2002/10/26 09:20:34| ipcCreate: /usr/local/squid/libexec/squid_ldap_group:
> (2) No such file or directory
> 2002/10/26 09:20:34| ipcCreate: /usr/local/squid/libexec/squid_ldap_group:
> (2) No such file or directory
> 2002/10/26 09:20:34| ipcCreate: /usr/local/squid/libexec/squid_ldap_group:
> (2) No such file or directory
> 2002/10/26 09:20:34| Unlinkd pipe opened on FD 20
> 2002/10/26 09:20:34| Swap maxSize 102400 KB, estimated 7876 objects
>
>
> But configured squid as
>
./configure --prefix=/usr/local/squid25S1 --enable-snmp --enable-ssl --enab
> le-external-acl-helpers=ldap_group
>
> How to make squid to look squid_ldap_group from
> /usr/local/squid25S1/libexec/
>
> I am using squid-2.5.STABLE1-20020927 daily snapshot
>
>
>
>
>
>
> > Hello Henrik,
> >
> > acl ou_Testing external ldapou Testing
> > http_access allow ou_Testing
> > http_access deny all
> >
> > If i set this rules as said earlier i am getting error as
> >
> > The page cannot be displayed
> > The page you are looking for is currently unavailable. The Web site
might
> be
> > experiencing technical difficulties, or you may need to adjust your
> browser
> > settings.
> > -----
> > ----
> > ----
> >
> > But i am able to get page without proxy setting and without
> squid_ldap_group
> > helper(configured only squid_ldap_auth and proxy_auth acl).
> >
> > I want to set access rules based on groups.
> >
> > For testing i am using only one group.
> >
> > Thanks
> > Jack
> >
> > >
> > > You can (and probably should) take away the proxy_auth ACL. Not
needed.
> > > The ldapou will automatically invoke authenticateion as you have
> specified
> > > %LOGIN as a requirement to the external_acl type.
> > >
> > > proxy_auth acl types is used if you want to build manual lists of
users,
> > > and there you can use the magic keyword "REQUIRED" to match all users
> > > with no exceptions.
> > >
> > > So what the lines
> > >
> > > acl ldapauth proxy_auth REQUIRED
> > > http_access allow ldapauth
> > >
> > > says is that all authenticated users are to be granted access.
> > >
> > >
> > > and the lines
> > >
> > > acl ou_Testing external ldapou Testing
> > > http_access allow ou_Testings
> > >
> > > says that only users belonging to the Testing OU in your LDAP tree is
to
> > > be allowed.
> > >
> > >
> > > The first http_access line that fully matches the request will
determine
> > > if the request is allowed or not (fully matches = all acl names listed
> on
> > > that http_access line is true), and as you allow all users access
before
> > > where you allow only Testing users access all your users will have
> access,
> > > not only the Testing ones.
> > >
> > >
> > > Should perhaps mention that if your goal is to only allow users from a
> > > specific OU in your LDAP tree and your LDAP tree is orgnised using OU
> > > based subtrees then you do not really need to use squid_ldap_match.
You
> > > can then specify to squid_ldap_auth to use the OU as base DN, and
> > > squid_ldap_auth will only ever find users who are below this OU in
your
> > > LDAP tree.. but if you plan on allowing more than one OU, or want to
> base
> > > access on group memberships then squid_ldap_group will be needed.
> > >
> > > Regards
> > > Henrik
> > >
> > >
> > > On Fri, 25 Oct 2002, Jack wrote:
> > >
> > > > But when i configured squid_ldap_auth and my configuration looks
like
> > > >
> > > > auth_param basic program
> /usr/local/squid25S1/libexec/squid_ldap_auth -b
> > > > dc=xxx,dc=com -f uid=%s localhost
> > > > auth_param basic children 5
> > > > auth_param basic realm Squid proxy-caching web server
> > > > auth_param basic credentialsttl 2 hours
> > > > external_acl_type ldapou %LOGIN
> > /usr/local/squid/libexec/squid_ldap_group -b
> > > > "dc=xxx,dc=com" -f "(&(uid=%v)(ou=%a))" -h localhost
> > > > acl ou_testing external ldapou Testing
> > > > acl ldapauth proxy_auth REQUIRED
> > > > http_access allow ldapauth
> > > > http_access allow ou_testing
> > > > http_access deny all
> > > >
> > > > Here even users from other than "Testing" group can also able to
> browse
> > but
> > > > i need only group "Testing" should browse and others should deny.
> > > >
> > > > So i tried after changing http_access rules as
> > > > http_access allow ldapauth ou_testing
> > > > http_access deny all
> > > >
> > > > Here i got page not found page.
> > > >
> > > > As i did not find any information regarding this in squid_ldap_auth
> and
> > > > squid_ldap_group i am not able to proceed.
> > > >
> > > > Thanks
> > > > Jack
> > > >
> > > >
> > > > > Yes.
> > > > >
> > > > > The squid_ldap_group only performs group membership lookups and
need
> a
> > > > > authentication method defined to allow the user to log in. To use
> LDAP
> > > > > authentication you will also need to configure Squid to use
> > > > > squid_ldap_auth for authentication, and squid_ldap_group for group
> > > > > membership verifications.
> > > > >
> > > > > See the auth_param directive and the squid_ldap_auth basic
> > authentication
> > > > > helper.
> > > > >
> > > > > Regards
> > > > > Henrik
> > > > >
> > > > >
> > > > > On Fri, 25 Oct 2002, Jack wrote:
> > > > >
> > > > > > Hello Henrik,
> > > > > >
> > > > > > Thanks,
> > > > > > When i configured proxy in browser and try to browse i did not
get
> > > > > > authentication window.
> > > > > >
> > > > > > Do i need to configure LDAP authentication program?
> > > > > >
> > > > > > Regards
> > > > > > Jack
> > > > > >
> > > > > > > Sorry, the acl line should obviously read
> > > > > > >
> > > > > > > acl ou_testing external ldapou Testing
> > > > > > >
> > > > > > > Regards
> > > > > > > Henrik
> > > > > > >
> > > > > > >
> > > > > > > Jack wrote:
> > > > > > > > Hello Henrik,
> > > > > > > >
> > > > > > > > While i run squid after changing squid configuration
according
> > to
> > > > your
> > > > > > > > guide i got following error:
> > > > > > > >
> > > > > > > > 2002/10/24 19:08:41| squid.conf line 1287: acl ou_testing
> ldapou
> > > > Testing
> > > > > > > > 2002/10/24 19:08:41| aclParseAclLine: Invalid ACL type
> 'ldapou'
> > > > > > > > 2002/10/24 19:08:41| squid.conf line 1766: http_access allow
> > ldapou
> > > > > > > > 2002/10/24 19:08:41| aclParseAccessLine: ACL name 'ldapou'
not
> > > > found.
> > > > > > > > 2002/10/24 19:08:41| squid.conf line 1766: http_access allow
> > ldapou
> > > > > > > > 2002/10/24 19:08:41| aclParseAccessLine: Access line
contains
> no
> > > > ACL's,
> > > > > > > > skipping
> > > > > > > >
> > > > > > > > I Compiled squid with following configuration option:
> > > > > > > >
> > > >
./configure --prefix=/usr/local/squid25S1 --enable-snmp --enable-ssl
> > > > > > > > --enab le-external-acl-helpers="ldap_group"
> > > > > > > >
> > > > > > > > How to set acl for ldap_group
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Jack
> > > > > > > >
> > > > > > > > > The -f argument to suqid_ldap_group needs to contain
special
> > codes
> > > > > > > > > referring to the login or group names. The correct
> > > > external_acl_type
> > > > > > > > > line reads:
> > > > > > > > >
> > > > > > > > > external_acl_type ldapou %LOGIN
> > > > > > > > > /usr/local/squid/libexec/squid_ldap_group -b
> > "dc=xxx,dc=com" -f
> > > > > > > > > "(&(uid=%v)(ou=%a))" -h localhost
> > > > > > > > >
> > > > > > > > > acl ou_testing ldapou Testing
> > > > > > > > >
> > > > > > > > > These magic codes is documented in the squid_ldap_group
> > > > documentation
> > > > > > > > > shipped with Squid.
> > > > > > > > >
> > > > > > > > > Regards
> > > > > > > > > Henrik Nordstr�m
> > > > > > > >
> > > > > > > > __________________________________________________
> > > > > > > > Do You Yahoo!?
> > > > > > > > Everything you'll ever need on one web page
> > > > > > > > from News and Sport to Email and Music Charts
> > > > > > > > http://uk.my.yahoo.com
> > > > > >
> > > > > > __________________________________________________
> > > > > > Do You Yahoo!?
> > > > > > Everything you'll ever need on one web page
> > > > > > from News and Sport to Email and Music Charts
> > > > > > http://uk.my.yahoo.com
> > > > > >
> > > >
> > > > __________________________________________________
> > > > Do You Yahoo!?
> > > > Everything you'll ever need on one web page
> > > > from News and Sport to Email and Music Charts
> > > > http://uk.my.yahoo.com
> > > >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Everything you'll ever need on one web page
> > from News and Sport to Email and Music Charts
> > http://uk.my.yahoo.com
>
> __________________________________________________
> Do You Yahoo!?
> Everything you'll ever need on one web page
> from News and Sport to Email and Music Charts
> http://uk.my.yahoo.com

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
Received on Sat Oct 26 2002 - 00:26:38 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:55 MST