[squid-users] Kerberos Authentication and LDAP Authorization

From: <Ralf.Lutz_at_Heidelberg.de>
Date: Fri, 5 Feb 2010 10:28:26 +0100

Hi,

I successfully configured squid to authenticate against AD using kerberos. I inserted an acl that authenticated users are allowed.

The next step should be, that only users in a defined group in the AD will be allowed. I�ve read that this should be possible by using the external helper squid_ldap_group, but I dont�s understand, what I have to do that squid_ldap_group uses ther kerberos-authenticated user.

I�ve added the following to squid.conf:

external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b "CN=Users,DC=heidelberg,DC=bw-online,DC=de" -f "(&(cn=%g)(memberUid=%u)(objectClass=ebay))" -B "CN=Users" -F "(CN=%s)" -D "CN=ldap,CN=Users,DC=heidelberg,DC=bw-online,DC=de" -w "PASSWORD" -h dc2.heidelberg.bw-online.de -v 3 -K

ebay ist he group that contains the users which should be allowed, this group is in the container Users. The user to read the AD is ldap, also located in the container Users.

I�ve the deleted the acl and the http_access for the authenticated users with kerberos and added the following:

acl ldapgroup-access external ldapgroup @HEIDELBERG.BW-ONLINE.DE

http_access allow all ldapgroup-access

But now, event members oft he ebay-group get a denied. Can anyone see my mistake ?

Kind Regards,
Ralf
Received on Fri Feb 05 2010 - 09:28:35 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 05 2010 - 12:00:04 MST