Re: [squid-users] External ACL - LDAP Authentication

From: Callum <[email protected]>
Date: Fri, 25 Apr 2008 10:43:58 +0100

Have you tried using single quotes? Also, try calling squid_ldap_group
via Squid itself as this is how it's intended: it may avoid some
weirdness.

Failing that, just create a new group in AD called squidusers or
something, and add the one member, "Domain Users."

Here's the relevant bits of my squid.conf though I confess it's a while
since I set it up so I'm a bit rusty with it. Works fine though.

#TAG: auth_param
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b
"dc=swarthmore,dc=org,dc=local" -D
"cn=LDAP_guest,OU=ADMIN,DC=swarthmore,DC=org,DC=local" -w
"XXXXXXXXXXXXXXXX" -f sAMAccountName=%s -h 10.4.0.3
    auth_param basic children 5
    auth_param basic realm "Donkey Centre"
    auth_param basic credentialsttl 5 minutes

#TAG: external_acl_type
external_acl_type InetUsersGroup %LOGIN /usr/lib/squid/squid_ldap_group
-R -b "dc=swarthmore,dc=org,dc=local" -D
"cn=LDAP_guest,OU=ADMIN,DC=swarthmore,DC=org,DC=local" -w
"XXXXXXXXXXXXXXXXXXX" -f "(&(objectclass=person)(sAMAccountName=%
v)(memberof=cn=%a,ou=users,dc=swarthmore,dc=org,dc=local))" -h 10.4.0.2

#TAG: acl
acl localnet proxy_auth REQUIRED src 10.0.0.0/8
acl InetAccess external InetUsersGroup SquidUsers

# TAG: http_access
http_access allow InetAccess

Try http://wiki.debian.org/DebianEdu/HowTo/Squid_LDAP_Authentication or
http://linux.die.net/man/8/squid_ldap_group for more information about
Squid and LDAP.

Callum.

On Thu, 2008-04-24 at 15:18 -0300, Matias Chris wrote:
> Hi there, this might be seen as offtopic but is part of our proxy
> solution, there is some silly problem Im stuck with...
>
> I need to authenticate users with LDAP against a group called "Domain
> Users" with the space in the middle. Is this possible?
>
> Im using squid_ldap_group scritp on the command line(for testing), if
> I try with a one-word group like "Internet" it gives me a OK, but if I
> try with "Domain Users" I allways receive an ERR even If i send the
> group between "". Is there any way to authenticate against a group
> called with more than one word?
>
> >Thanks!
Received on Fri Apr 25 2008 - 09:44:09 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT