Re: [squid-users] problems Squid auth with Active Directory with LDAP module

From: Henrik Nordstrom <[email protected]>
Date: Wed, 31 Jan 2007 22:54:02 +0100

mån 2007-01-22 klockan 23:09 +0100 skrev kRiZiO LoRd:

> auth_param basic program /usr/lib/squid/ldap_auth -R -b
> "dc=raah,dc=local" -D "cn=Administrador,cn=squid
> _users,ou=Users,dc=raah,dc=local" -w "admin" -f sAMAccountName=%s -h
> 192.168.0.90

Looks reasonable, but the Administrator DN doesn't look the way I am
used to.. If you are not sure about the LDAP DN of the search user then
MS AD also accepts binding to the username directly user@ad-domain

> external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R
> -b "dc=raah,dc=local" -D "cn=Administrador,ou=Users,dc
> =raah,dc=local" -w "admin" -f
> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Users,dc=raah,dc=local))"
> -h 192.168.0.90

Usually one uses squid_ldap_group in a different manner, looking for
groups having the user as member rather than groups being mentioned in
the user object, but assuming all groups you need fits in the above
group DN pattern cn=<groupname>,ou=Users,dc=raah,dc=local the above
should work..

To do it the "normal" way, use the -F option specifying the search
filter from squid_ldap_auth, then -f specifying a group filter, usually
just "(&(objectclass=groupOfNames)(member=%u)(cn=%g))"

But before looking into using groups, verify that the login part works
(squid_ldap_auth).

Regards
Henrik

Received on Wed Jan 31 2007 - 14:54:07 MST

This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST