Re: [squid-users] Doubts regarding squid integration with LDAP

From: Henrik Nordstrom <[email protected]>
Date: 11 Mar 2003 14:38:01 +0100

tis 2003-03-11 klockan 11.10 skrev Michael Fuller:
> Hello all,
>
> We have successfully integrated squid with LDAP for authentication and
> access control. I am preparing a small write up on the subject for internal
> use, and I need a clarification regarding squid + ldap group access
> controls.
>
> For LDAP group based access control which of the following does squid do ?
>
> 1. Take the user name, and find if he is member of any group, then match
> that groups name against any acls
> OR
> 2. Take the user name from the login, then try to match it against LDAP
> groups in the order defined in squid.conf against external ACLs. If there is
> a match, apply relevant access controls.

Only the second option is available in the first version of the helper
which shipped in 2.5.STABLE1. The current helper has some additional
powers.

To be precise, Squid asks the squid_ldap_group helper the following
simple question:

Is the user with login 'xxxx' member of any of the groups 'yyyy' 'zzzz'
...., where the list of groups is the groups you have defined for the
acl (normally only one per acl but may be more than one)

The helper then finds the answer to this question by searching in the
LDAP directory for a matching group object by using the specified LDAP
search filter. If a matching object is found the user is regarded to be
member of one of the groups.

The original helper can only make a single search directly based on the
login name and groups.

The current helper can optionally first locate the user DN as per the
same criteria as used by squid_ldap_auth and then use this DN when
searching for a matching group. This to allow the use of groups in
combination with login names which is not part of the users LDAP DN but
made of another attribute on the user object (for example when using cn=
in the user DN but uid= for the login name).

-- 
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden
Received on Tue Mar 11 2003 - 06:38:15 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:00 MST