[squid-users] group_ldap_auth with 2 groups

Hi all,
Hi Tobias,

I have a problem with squid-2.3.STABLE4-ldap_auth (latest 2.3.STABLE4
with group_ldap_auth and latest patches for STABLE4) and ldap_auth with
2 groups. ( Linux 2.2.16, SuSE 7.0 )

User N4671 is uniquemember of cn=www-user and not uniquememeber of
cn=superuser.

squid/acl or ldap_auth checks only against group cn=superuser which ist
referenced first in squid.conf.

Is the squid.conf wrong ?
One group named superuser should access to FTP/HTTP/HTTPS. The other
group called www-user should only access to HTTP/HTTPS, but not any
.tar|.zip and so on.

Any ideas ?

----squid.conf----

acl HTTPS proto HTTPS
acl HTTP proto HTTP
acl FTP proto FTP

acl password ldap_auth REQUIRED
acl superuser ldap_auth static superuser
acl www-user ldap_auth static www-user

acl mydomain dstdomain .rasselstein-hoesch.de

acl mime dstdomain mime.rasselstein-hoesch.de
acl http_mime port 1081

acl unknown_content urlpath_regex -i \.(arc|arj)$
acl unknown_content urlpath_regex -i \.(bin|exe)$
acl unknown_content urlpath_regex -i \.(tar|rar|tgz|gz)$
acl unknown_content urlpath_regex -i \.(lha|arj)$

http_access allow FTP superuser
http_access allow HTTP superuser
http_access allow HTTPS superuser

http_access deny unknown_content www-user
http_access allow HTTP www-user
http_access allow HTTPS www-user

http_access deny all

----cache.log----

2001/03/21 16:58:15| aclMatchAcl: checking 'acl FTP proto FTP'
2001/03/21 16:58:15| aclMatchAclList: returning 0
2001/03/21 16:58:15| aclCheck: checking 'http_access allow HTTP
superuser'
2001/03/21 16:58:15| aclMatchAclList: checking HTTP
2001/03/21 16:58:15| aclMatchAcl: checking 'acl HTTP proto HTTP'
2001/03/21 16:58:15| aclMatchAclList: checking superuser
2001/03/21 16:58:15| aclMatchAcl: checking 'acl superuser ldap_auth
static superuser
2001/03/21 16:58:15| aclDecodeProxyAuth: header = 'Basic xxx'
2001/03/21 16:58:15| aclDecodeProxyAuth: cleartext = 'n4671:xxx'
2001/03/21 16:58:15| aclMatchLdapAuth: checking user 'n4671'
2001/03/21 16:58:15| aclMatchLdapAuth: user 'n4671' not yet known
2001/03/21 16:58:15| aclMatchAclList: returning 0
2001/03/21 16:58:15| aclCheck: checking password via ldap authenticator
2001/03/21 16:58:15| aclDecodeProxyAuth: header = 'Basic xxx'
2001/03/21 16:58:15| aclDecodeProxyAuth: cleartext = 'n4671:xxx'
2001/03/21 16:58:15| aclLookupLdapAuthStart: going to ask authenticator
about user
2001/03/21 16:58:15| aclLookupLdapAuthDone: result = f
2001/03/21 16:58:15| aclCheck: checking 'http_access allow HTTP
superuser'
2001/03/21 16:58:15| aclMatchAclList: checking HTTP
2001/03/21 16:58:15| aclMatchAcl: checking 'acl HTTP proto HTTP'
2001/03/21 16:58:15| aclMatchAclList: checking superuser
2001/03/21 16:58:15| aclMatchAcl: checking 'acl superuser ldap_auth
static superuser
2001/03/21 16:58:15| aclDecodeProxyAuth: header = 'Basic xxx'
2001/03/21 16:58:15| aclDecodeProxyAuth: cleartext = 'n4671:xxx'
2001/03/21 16:58:15| aclMatchLdapAuth: checking user 'n4671'
2001/03/21 16:58:15| aclMatchLdapAuth: authentication failed for user
'n4671' group 'NONE'
2001/03/21 16:58:15| aclMatchAclList: returning 0
2001/03/21 16:58:15| aclCheck: match found, returning 2
2001/03/21 16:58:15| aclCheckCallback: answer=2

----/tmp/group_ldap_auth.log----
received n4671 xxx 1 s #superuser#
searching for user with filter (uid=n4671)
searching for static group superuser using filter (& (cn=superuser) (|
(objectclas
s=groupofuniquenames) (objectclass=groupofnames)))
user uid=N4671,ou=Andernach,o=RHG not found in group superuser
checkLdap returned 5

no search for www-user is done. why ?

Best Regards

-- 
Dirk Datzert
Rasselstein Hoesch GmbH 
Informatik / Anwendungsentwicklung
D-56626 Andernach
Koblenzer Strasse 141
http://www.rasselstein-hoesch.de
Tel.: +49 (0) 2631 81-4595
Fax.: +49 (0) 2631 81-15-4595
mailto:Dirk.Datzert@rasselstein-hoesch.de