Hi Henrik
On Tue 10Aug04 you wrote:
"If you do not need to specify different authorization for different groups and your directory allows direct filtering on group membership then there is no need for squid_ldap_group, only squid_ldap_auth"
Now, I wont try to authenticate and authorizate a user member of internetOK. The base DN is CN=internetOK,OU=utenti,DC=advnet,DC=it and the users are store into OU=utenti,DC=advnet,DC=it
When I have in my squid.conf:
auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b "ou=utenti,dc=advnet,dc=it" -u "CN" -d -v 3 -h "192.168.150.1:389" -D "CN=superadmin,CN=users,DC=advnet,DC=it" -w "pass"
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl autenticati proxy_auth REQUIRED
http_access allow autenticati
The users authenticated can access to internet.
But, if I try to control the membership, none have access to internet:
auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b "ou=utenti,dc=advnet,dc=it" -u "CN" -f "(&(CN=internetOK)(objectClass=group)(member=cn=%u))" -d -v 3 -h "192.168.150.1:389" -D "CN=superadmin,CN=users,DC=advnet,DC=it" -w "pass"
I think the string is wrong, and I try with this -f search options:
-f (&(CN=%u)(objectClass=person)(memberOf=CN=internetOK,OU=utenti,DC=advnet,DC=it))
-f (&(CN=%g)(objectClass=internetOk)(member=CN=%u))
You said me to write this:
-f (&(CN=%g)(objectClass=groupOfPeople)(member=%u))
and I've a question:
1)Where do I write the name of the group "internetOK"?
-f (&(CN=%g)(objectClass=internetOK)(member=%u)) or
-f (&(CN=internetOK)(objectClass=group)(member=%u))
I try to test a external helper squid_ldap_group from dos command line, but it doesn't work...
Thank you for your help,
Best Regards
Samantha
2)
>On Tue, 2 Nov 2004 sc379@interfree.it wrote:
>
>> external_acl_type ldap_group %LOGIN /Squid/libexec/squid_ldap_group.exe > -u
>CN -b "OU=utenti,DC=bdcnet,DC=it" -d -f
>>
>bjectClass=person)((memberOf=cn=internetOKnavigare,OU=utenti,DC=bdcnet,DC=it)))"
>"(&(CN=%u)(o> -h 192.168.1.1:389
>
>This looks a little odd.. normally one uses a search filter looking for the
>group object where the user is member, not the person object having
>the group as membership attribute.
>
>In addition you should be using a %g at a suitable position in the filter for
>the group name..
>
>If continuing doing the lookup on the person object the filter should be
>something like the following:
>
>"(&(CN=%u)(objectClass=person)(memberOf=cn=%g,OU=utenti,DC=bdcnet,DC=it))"
>
>Or you could do it the LDAP way and look for a group object having the user as
>member. You then specify the exact same filter as used in
>squid_ldap_auth to the -F option of squid_ldap_group, and a suitable group
>filter to -f
>
> "(&(CN=%g)(objectClass=groupOfPeople)(member=%u))"
>
>(%u in the group search filter -f translates to the users DN, not the login
>name when using the -F option)
>
>Regards
>Henrik
>
>
-------------------------------------------------------------------------
NUOVA WEBMAIL DI INTERFREE!
Da oggi Interfree offre a tutti i suoi utenti un nuovissimo servizio
di WebMail tra i pi� evoluti e una qualit� professionale che si rinnova
di continuo:
- Controllo antivirus
- Filtro antispamming
- Configurazione di account esterni
- Accesso gratuito a InterDrive dove salvare e organizzare i tuoi
file da qualsiasi computer e in qualsiasi momento ...
Iscriviti gratuitamente all'indirizzo http://www.interfree.it e prova il
nuovo servizio!
Lo Staff di Interfree
-------------------------------------------------------------------------
Received on Wed Nov 03 2004 - 02:57:17 MST
This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST