Re: [squid-users] squid_ldap_group problem

From: Henrik Nordstrom <[email protected]>
Date: Sun, 4 Apr 2004 02:02:03 +0200 (CEST)

On Sat, 3 Apr 2004 lists@mhcsoftware.de wrote:

> the relevant parts of my squid.conf look like this:
>
> ----
> auth_param basic program /usr/lib/squid/ldap_auth -b
> ou=people,dc=mhcsoftware,dc=de localhost
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours

Needed. This defines authentication.

> external_acl_type ldap %LOGIN /usr/lib/squid/squid_ldap_group
> -b "ou=groups,dc=mhcsoftware,dc=de"
> -f "(&(memberUid=%v)(cn=%a)(objectClass=posixGroup))"
> -B "ou=people,dc=mhcsoftware,dc=de"
> -F "(uid=%s)"

Needed. This defines how Squid is to evaluate LDAP group based
authorization (not authentication). But the arguments does not match your
squid_ldap_auth.

As you are not using a user filter in squid_ldap_auth you should not do so
in squid_ldap_group either.. just make the exact group membership filter
matchign groups where the login name is member. Most likely you should
just drop the user filter (and basedn) arguments here but it depends on
what your group objects look like. I would recommend playing a little with
ldapsearch.

Note: You are using a very old and obsolete group filter syntax. The
current versions of the squid_ldap_group helper uses %g and %u for group
and user respectively (but still understands the older %a %v codes).

> acl ldapauth proxy_auth REQUIRED

This is only needed if you really want to base access controls on "all
authenticated users".

> acl ldapGauth external ldap squid

Normally this one is sufficient when using LDAP groups..

> http_access allow ldapGauth

Ok.

> this seems to work, as i can do a correspoing ldapsearch without any
> problem. then it tries the goup lookup:
>
> Apr 3 15:50:30 server slapd[20926]: conn=32 op=1 SRCH
> base="ou=groups,dc=mhcsoftware,dc=de" scope=2
> filter="(&(memberUid=uid=test,ou=people,dc=mhcsoftware,dc=de)(cn=squid)(obj
> ectClass=posixGroup))"
>
> and i think thats the problem. when i try this as a ldapsearch i get no
> result. but when i seach for:
>
> (&(memberUid=test)(cn=squid)(objectClass=posixGroup))

Ok, so you are not using normal LDAP groups but instead another form of
groups stored within LDAP... See above for the solution.

> i get the expected result. well and that filter is what i would expect when
> i look at my "squid_ldap_group" commandline. i do not understand why it
> users "memberUid=uid=test,ou=people,dc=mhcsoftware,dc=de" in sead of whats
> configured on the command line: "memberUid=test"

This is done because you told squid_ldap_group to expand the login name
into the users DN via the group filter argument. See the squid_ldap_group
manual.

Regards
Henrik
Received on Sat Apr 03 2004 - 17:02:05 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:01 MDT