[squid-users] squid_ldap_group

From: <[email protected]>
Date: Thu, 27 Feb 2003 15:27:56 +0800

Hi,
I am still having trouble getting squid to authenticate based on ldap group
membership and user password. Here is what I have:

auth_param basic program /usr/local/squid/libexec/squid_ldap_auth \
                                          -h ldap://ldap.some.org.au \
                                          -b
"ou=people,dc=some,dc=org,dc=au,o=Internet" \
                                          -D "cn=admin,o=Internet" \
                                          -w "password" \
                                          -u cn
external_acl_type ldap_group %LOGIN
/usr/local/squid/libexec/squid_ldap_group \
                                          -h ldap://ldap.some.org.au \
                                          -D "cn=admin,o=Internet" \
                                          -w "password" \
                                          -b
"ou=groups,dc=some,dc=org,dc=au,o=Internet" \
                                          -f "member=cn
=%v,ou=people,dc=some,dc=org,dc=au,o=Internet"

acl localusers proxy_auth REQUIRED
acl proxy_users external ldap_group proxygrp

http_access deny !proxy_users
http_access allow localusers

In this configuration entering a username which is in the proxygrp in LDAP
gets access even if the password is wrong, if I swap the http_access rules
around then a username given with the right password will get access even
if they are not a member of the proxygrp, removing the deny ! proxy_users
line also results in the proxygrp not being checked.

How do I get the equivalent of "http_access allow if localusers *and*
proxy_users"?

Thanks for your patience and your help!

regards
Murray

__________________________________________________
Unix System Administrator, CSC
Ph: 08-9429-6780 Email: mbarton2@csc.com.au
Received on Thu Feb 27 2003 - 00:27:29 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:44 MST