Re: [squid-users] Fw: squid_ldap_group config

From: Tim Neto <[email protected]>
Date: Mon, 06 Dec 2004 11:26:30 -0500

Hello Kelly,

 From the man page for squid_ldap_group:

  
-------------------------------------------------------------------------------------
       -f filter
              LDAP search filter used to search the LDAP directory
for any
              matching group memberships. In the filter %u will be
replaced
              by the user login name (or DN if the -F or -u options are
used)
              and %g by the requested group name.

       -F filter
              LDAP search filter used to search the LDAP directory
for any
              matching users. In the filter %s will be replaced by
the user
              login name. If % is to be included literally in the
filter then
              use %%.
  
-------------------------------------------------------------------------------------

The lower case dash f, "-f", is a filter used to match group records
from your LDAP database.

The upper cas dash F, "-F", is a filter used to match user records from
your LDAP database.

As for the definition I defined and used here at KCL, I allow two
different styles of user name recognition when replying to a proxy
challenge. One is by the user's identifier (UID) the other is by the
user's E-Mail address.

  -------------------------------------------------------------------------------------
  external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h ldap.komatsu.ca -p 389 -P -b o=komatsu -F "(|(uid=%s)(mail=%s))" -f "(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))"
  -------------------------------------------------------------------------------------

If your LDAP schema uses a different tag for the user identifier than
"uid", you may want to consider using the "-F" option.

Hope this helps. Sorry for the delayed reply. Last week became quite
busy...

Tim

-----------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer Komatsu Canada Limited
 Ph#: 905-625-6292 x265 1725B Sismet Road
 Fax: 905-625-6348 Mississauga, Canada
 E-Mail: tneto@komatsu.ca L4W 1P9
-----------------------------------------------------------

Kelly_Connor@gilbert.k12.az.us wrote:

>
>
>Hi Tim -
>
>Looking over what you sent me, I have made a few changes.
>
>First, I have taken port 21 out of Safe_ports, since I don't want free
>access to FTP downloads.
>
>What is going on in your squid_ldap_auth line? what is the difference
>between "-F" and "-f"? the man page does not even mention -F.
>
>I have modified my set thus far:
>
>
>------------
>external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b
>ou=techsvc,o=gps -D cn=squid,ou=global,o=gps -w <pass> -f
>"(&(cn=%s)(groupMembership=cn=RestrictedInternetAccess,ou=techsvc,o=gps))"
>-h FS-GPS1.GPS
>
>acl Restricted port 20 21 1025-65535
>
>acl RestrictedUsers external ldap_group RestrictedInternetAccess
>acl OpenUsers external ldap_group InternetAccess
>
>http_access allow Restricted OpenUsers
>http_access deny !Safe_ports
>------------
>
>Am I doing something wrong with the external_acl_type line?
>
>
>Kelly Connor
>Network Technician
>Gilbert Unified School District
>kelly_connor@gilbert.k12.az.us
>
>
Received on Mon Dec 06 2004 - 09:26:25 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:01 MST