[squid-users] Using squid_ldap_group

From: Fernando Maior <[email protected]>
Date: Mon, 1 Sep 2003 16:26:27 -0400

Hi all,
  
I am using Squid and LDAP to control access to
Internet via Proxy. I also am using squid_ldap_auth.
  
I would like to separate my users into six groups,
named UL1 to UL6. I would like to authenticate then
against LDAP and, after that, grant or revoke
permission to access http on the wild.
  
I am using a number of files and other hacking in
order to have those goals accomplished, because
the Conectiva Linux 9 do not provide a Squid rpm
with squid_ldap_group compiled into.
  
Now I have the time, the machine and a compilation
of squid 2.5.STABLE3 with squid_ldap_group in my
test lab machine. And would like you to help me
using squid_ldap_group.
  
My squid.conf do have:
  
--FOR LDAP_AUTH--
auth_param basic program /usr/lib/squid/squid_ldap_auth -h ldap.intranet.dasa
-b "ou=Users,o=DASA" -f "(&(internetAccess=enabled)(uid=%s))"
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
  
--FOR LDAP_GROUP--
external_acl_type LdapGroup %LOGIN /usr/lib/squid/squid_ldap_group -b
ou=Groups,o=DASA -f (&(cn=%a)(memberUid=%v))
  
--FOR ACLs on AUTHENTICATION--
acl AutorizedUser proxy_auth REQUIRED
  
--FOR ACLs on GROUP--
acl Level1 external LdapGroup UL1
acl Level1 external LdapGroup UL2
acl Level1 external LdapGroup UL3
acl Level1 external LdapGroup UL4
acl Level1 external LdapGroup UL5
acl Level1 external LdapGroup UL6
  
I already have groups UL1..8 created on ou=Groups,o=DASA, and
my test users are placed in the memberUid correctly. Also,
I proceeded with tests in command line using squid_ldap_group
until I became confident using it. From my point of view,
ldapsearch is running as expected and squid_ldap_group the
same.
  
So you may ask me "What is the problem?" And I will answer
you that "I am not sure how to write the line for the external
acl on squid.conf", because I did not find enough documentation.
  
Question:
What are the parameters squid passes to squid_ldap_group? I
realized squid_ldap_group can use at least two parameters
when running from command lin: user and group, and it
parses user as %v and group as %a. If I use the acl like
 
acl Level1 external LdapGroup UL1
 
will squid pass UL1 as the second parameter (group) to
squid_ldap_group?
 
Question:
If I have six groups (UL1 thru UL6) is it correct to
use the acl below to identify which group one pertains to?
 
acl Level1 external LdapGroup UL1
acl Level1 external LdapGroup UL2
acl Level1 external LdapGroup UL3
acl Level1 external LdapGroup UL4
acl Level1 external LdapGroup UL5
acl Level1 external LdapGroup UL6
 
Question:
How can I control (is it possible?) the number of
squid_ldap_group helper processes started automatically
by squid?
 
Bye,
Fernando Maciel Souto Maior
fernando@araujo.com.br
http://www.araujo.com.br
+55+31 3270-5886

AVISO--------------------------------------------
Esta mensagem pode conter informacao confidencial ou privilegiada.
Se voce nao for o destinatario ou a pessoa autorizada a receber
esta mensagem, nao pode usar, copiar ou divulgar as informacoes
nela contidas ou tomar qualquer acao baseada nessas informacoes.
Se voce recebeu esta mensagem por engano, favor avisar o remetente
imediatamente, respondendo o e-mail e em seguida apagando-o.
Obrigado pela cooperacao.

DISCLAIMER---------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on any information herein. If you have received this message in
error, please advise the sender immediately by replying to this
e-mail and delete this message. Thank you for your cooperation.

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
Received on Mon Sep 01 2003 - 14:26:44 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:28 MST