Re: [squid-users] squid_ldap_group user authorization

From: Jayesh Kamdar <[email protected]>
Date: Mon, 21 Mar 2005 15:56:45 -0500

Yes, I tried a search filters with ldapsearch. (ldapsearch -h ldapsrv1
-D "uid=jkamdar,o=mitre.org" -b "o=mitre.org" cn="Kamdar,Jayesh H.")

Now, before I get into details about syntex with squid ...I am confused
about
    - squid_ldap_match
    - squid_ldap_auth
    - squid_ldap_group

I do have binaries for squid_ldap_match and squid_ldap_auth but I can
only find man page on the net for squid_ldap_group. It looks like I need
to use squid_ldap_group for what I need to do. Where can I find it?

Please let me know. Sorry for asking some basic quesions but I am new to
all these and really confused.

Thanks for your help,
Jayesh

Ytzhak Levy wrote:

>Did you test this filter and your credentials with ldapsearch ?
>this is the first step.
>
>then test squid_auth_auth from a terminal. I dont know if squid_ldap_auth have a debug mode as squid_ldap_group.
>
>squid_auth_ldap didnt work in my site, but i build a perl script that do (basically) the same thing:
>
>#!/usr/bin/perl
>
>$| = 1;
>while(<>){
>
> ($user,$passwd) = split;
> $res = system("ldapsearch -h SERVR_IP -b BASE_SEARCH -D \"AD_domain\\$user\" -w $passwd \"(sAMAccountName=$user)\" > /dev/null");
> if ($res == 0){ print "OK\n"; }
> else { print "ERR\n"; }
>
>}
>
>this works well in Active Directory.
>
>replace the filter with the attributes that you want to find.
>
>
>cheers
>
>
>
>
>>Please tell me your syntax that you use in your conf. file.
>>
>>Here is what I have ...
>>
>>auth_param basic program /usr/lib/squid/squid_ldap_auth -h
>>ldapsrv1.mitre.org -b "o=mitre.org" -D "ou=people,o=mitre.org" -f
>>"(&(CN=%s)(memberOf=CN=osis_proxyauth_lg))"
>>
>>So when I tried to use this proxy, the dialog box pops up. I type
>>in username and pasword but it fails with error in squid.log ...
>>1111177616.481 12 india.mitre.org TCP_DENIED/407 1742 POST
>>http://shttp.msg.yahoo.com/notify/ jkamdar NONE/- text/html
>>
>>It doesn't even tries to access my ldapserver, so something is
>>wrong on my config.
>>
>>Can you please help me out?
>>
>>Thanks,
>>Jayesh
>>
>>Ytzhak Levy wrote:
>>
>>
>>
>>>Thanks !!!
>>>
>>>All works fine now.
>>>
>>>The only thing that i have to did is to put AD_domain\\lookup, in
>>>the login name param.
>>>
>>>
>>>Cheers
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>On Sat, 19 Mar 2005, Ytzhak Levy wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>#dn of group: CN=CGI - Rede,OU=Global,OU=Grupos,DC=mydomain,DC=com
>>>>>acl REDE_GRP external ldap_group CGI\ -\ Rede
>>>>>
>>>>>
>>>>>
>>>>>
>>>>This does not work.
>>>>
>>>>Currently the only way to define acl elements with spaces in
>>>>them is to use an acl file.
>>>>
>>>>acl REDE_GRP external ldap_group "/path/to/group.txt"
>>>>
>>>>where /path/to/group.txt contains
>>>>CGI - Rede
>>>>
>>>>Regards
>>>>Henrik
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>
>
>
Received on Mon Mar 21 2005 - 14:01:23 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST