Re: [squid-users] Help squid_ldap_group W32

From: <[email protected]>
Date: 3 Nov 2004 09:57:15 -0000

Hi Henrik

On Tue 10Aug04 you wrote:

"If you do not need to specify different authorization for different groups and your directory allows direct filtering on group membership then there is no need for squid_ldap_group, only squid_ldap_auth"

Now, I wont try to authenticate and authorizate a user member of internetOK. The base DN is CN=internetOK,OU=utenti,DC=advnet,DC=it and the users are store into OU=utenti,DC=advnet,DC=it

When I have in my squid.conf:
auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b "ou=utenti,dc=advnet,dc=it" -u "CN" -d -v 3 -h "192.168.150.1:389" -D "CN=superadmin,CN=users,DC=advnet,DC=it" -w "pass"
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl autenticati proxy_auth REQUIRED
http_access allow autenticati

The users authenticated can access to internet.

But, if I try to control the membership, none have access to internet:
auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b "ou=utenti,dc=advnet,dc=it" -u "CN" -f "(&(CN=internetOK)(objectClass=group)(member=cn=%u))" -d -v 3 -h "192.168.150.1:389" -D "CN=superadmin,CN=users,DC=advnet,DC=it" -w "pass"

I think the string is wrong, and I try with this -f search options:

-f (&(CN=%u)(objectClass=person)(memberOf=CN=internetOK,OU=utenti,DC=advnet,DC=it))
-f (&(CN=%g)(objectClass=internetOk)(member=CN=%u))

You said me to write this:

-f (&(CN=%g)(objectClass=groupOfPeople)(member=%u))
and I've a question:
              1)Where do I write the name of the group "internetOK"?
                        -f (&(CN=%g)(objectClass=internetOK)(member=%u)) or
                        -f (&(CN=internetOK)(objectClass=group)(member=%u))
                

I try to test a external helper squid_ldap_group from dos command line, but it doesn't work...

Thank you for your help,

Best Regards
Samantha
2)

>On Tue, 2 Nov 2004 sc379@interfree.it wrote:
>
>> external_acl_type ldap_group %LOGIN /Squid/libexec/squid_ldap_group.exe > -u
>CN -b "OU=utenti,DC=bdcnet,DC=it" -d -f
>>
>bjectClass=person)((memberOf=cn=internetOKnavigare,OU=utenti,DC=bdcnet,DC=it)))"
>"(&(CN=%u)(o> -h 192.168.1.1:389
>
>This looks a little odd.. normally one uses a search filter looking for the
>group object where the user is member, not the person object having
>the group as membership attribute.
>
>In addition you should be using a %g at a suitable position in the filter for
>the group name..
>
>If continuing doing the lookup on the person object the filter should be
>something like the following:
>
>"(&(CN=%u)(objectClass=person)(memberOf=cn=%g,OU=utenti,DC=bdcnet,DC=it))"
>
>Or you could do it the LDAP way and look for a group object having the user as
>member. You then specify the exact same filter as used in
>squid_ldap_auth to the -F option of squid_ldap_group, and a suitable group
>filter to -f
>
> "(&(CN=%g)(objectClass=groupOfPeople)(member=%u))"
>
>(%u in the group search filter -f translates to the users DN, not the login
>name when using the -F option)
>
>Regards
>Henrik
>
>

-------------------------------------------------------------------------
NUOVA WEBMAIL DI INTERFREE!

Da oggi Interfree offre a tutti i suoi utenti un nuovissimo servizio
di WebMail tra i pi� evoluti e una qualit� professionale che si rinnova
di continuo:

- Controllo antivirus
- Filtro antispamming
- Configurazione di account esterni
- Accesso gratuito a InterDrive dove salvare e organizzare i tuoi
        file da qualsiasi computer e in qualsiasi momento ...

Iscriviti gratuitamente all'indirizzo http://www.interfree.it e prova il
nuovo servizio!

Lo Staff di Interfree
-------------------------------------------------------------------------
Received on Wed Nov 03 2004 - 02:57:17 MST

This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST