On Thursday 08 May 2003 15.51, Pedro Alte wrote:
> The base DN is already the lowest : dc=domain,dc=com.
> My filter is "(&(cn=%g)(member=cn=%u))", and the authentication
> only works if I change it to
> "(&(cn=%g)(member=cn=%u,ou=firstou,ou=secondou,dc=domain,dc=com))".
> It seems that squid needs to know the members' exact location,
> which I want to avoid, since I have users located in many different
> OU's.
I would recommend using the dual search mode where squid_ldap_group
first searches for the user DN, and then searches for group
memberships.
Alternatively you can use a wildcard search like
"(&(cn=%g)(member=cn=%u,*))"
The reason to this is quite clear if you take a closer look at a LDAP
group object. A typical LDAP group object looks like:
CN=NameOfGroup,OU=Some_OU,dc=domain,dc=com
cn: NameOfGroup
objectClass: groupOfNames
member: cn=SomeUser,ou=Some_OU,dc=comain,dc=com
member: cn=AnotherUser,ou=SomeOther_OU,dc=comain,dc=com
member: ...
member: ...
member: ...
member: ...
Yourfilter has to match the data in the object. Just plain
"member=cn=SomeUser" won't match this object as there is no member
attribute with the value "cn=SomeUser", only
"cn=SomeUser,OU=Some_OU,dc=domain,dc=com"
In the dual search mode the helper first searches for the user as
squid_ldap_auth does, and then uses the DN of the found user object
in the group search filter. The group filter then becomes
"(&(objectClass=GroupOfNames)(cn=%g)(member=%u))" which will then
expand into
"(&(objectClass=GroupOfNames)(cn=NameOfgroup)(member=cn=SomeUser,ou=Some_OU,dc=domain,dc=com))"
when the %g and %u are filled in.
Regards
Henrik
-- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [email protected]Received on Thu May 08 2003 - 13:13:50 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:24 MST