Re: [squid-users] web access based on ldap groups

From: Henrik Nordstrom <[email protected]>
Date: Sat, 5 Feb 2005 00:22:55 +0100 (CET)

On Fri, 4 Feb 2005, cipher wrote:

> external_acl_type ldap_group ttl=120 negative_ttl=120
> %LOGIN /usr/local/squid/libexec/squid_ldap_group -b
> ou=squid
> ,o=domain.int -f "(&(uid=%v)(memberUid=%g))" -B
> ou=People,o=domain.int -F "uid=%s" -S -R -D uid=prox
> y,ou=squid,o=dmain.int -w proxy-binder -h localhost
> [...]

> dn: cn=proxy-allow,ou=squid, o=domain.int
> gidNumber: 600
> memberUid: test-user
> objectClass: posixGroup
> objectClass: top
> cn: proxy-allow

Ok, so your LDAP groups is defined with

   cn = group name
   memberUid = login name (NOT DN) being member of the group

In squid_ldap_group terms this becomes

   -f "(&(cn=%g)(memberUid=%u))"

and you should NOT use a -F flag to translate the login names to DN..

Normally in LDAP groups use the member attribute, listing full DNs of the
users being members of the group, not just login names (uid), but thanks
to it's flexible design squid_ldap_group doesn't really care and handles
both nicely. at the cost of requiring careful configuration to match your
directory design.

Regards
Henrik
Received on Fri Feb 04 2005 - 16:22:57 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST