Re: [squid-users] Fw: squid_ldap_group config

From: Henrik Nordstrom <[email protected]>
Date: Thu, 9 Dec 2004 01:29:10 +0100 (CET)

On Wed, 1 Dec 2004 Kelly_Connor@gilbert.k12.az.us wrote:

> I hope this has not been addressed anywhere in the mailing lists. I did a
> search and couldn't find anything, and I've already RTFM'd.
>
> I don't understand how to set up the squid_ldap_group external acl type.

Start with setting up squid_ldap_auth WIHTOUT any group restrictions. Then
loog into configuring squid_ldap_group. You need both.

> This is what I've got so far:
>
> external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b <basedn>
> -D <squidaccount> -w <passwd> -f
> "(&(cn=%v)(groupMembership=cn=<group1dn>))" -h ldap.host

This is almost correct, but the group search filter should look for both
the username and the group name, neither hardcoded. The group name is then
specified in the acl.

Usually thinks looks something like the following:

auth_param basic program /path/to/squid_ldap_auth -f "(&(uid=%s)(objectClass=person))" -b dc=yourcompany,dc=com -h your.ldap.server

external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group -F "(&(uid=%s)(objectClass=person))" -f "(&(member=%u)(cn=%g))" -b dc=yourcompany,dc=com -h your.ldap.server

acl ldap_group_1 external ldap_group groupname1
acl ldap_group_2 external ldap_group groupname2
...

then ldap_group_1 and ldap_group_2 is used in your http_access rules as
required to authorize users access to the proxy.

in the above uid=%s is assuming users are identified by their uid
attribute in your LDAP directory, and cn=%g that groups are identified by
their CN, and that the base DN of your LDAP tree is dc=yourcompany,dc=com

Regards
Henrik
Received on Thu Dec 09 2004 - 09:53:13 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST