[squid-users] Re: sorry, to bother you again

To filter on attribute you currently need to use the search approach in
finding the user DN.

The program uses the standard LDAP filter syntax described in RFC 2254,
same as ldapsearch. If you are unsure I'd suggest you start with
ldapsearch to find the correct filter.

Assuming your user objects look like

   uid=<login name>
   objectClass=Person
   nsmsgdissallowaccess=<list of disallowed services>

the search filter should become something like this:

   (&(uid=%s)(!nsmsgdissallowaccess=*http*)(objectClass=Person)

To try this using ldapsearch, replace %s by the login name you want to
find.

   ldapsearch -b "base DN" -h your.ldap.server
'(&(uid=RKaern)(!nsmsgdissallowaccess=*http*)(objectClass=Person)'

If this works, the squid_ldap_auth command becomes

   squid_ldap_auth -b 'base DN' -f
'(&(uid=%s)(!nsmsgdissallowaccess=*http*)(objectClass=Person)'
your.ldap.server

"base DN" is the DN under which all your users and/or user subtrees are
located

If your LDAP server does not allow anonymous searches you will also need
to provide a user DN and password to bind as while performing the
search.

note: you must remove the quotes from the squid_ldap_auth command line
if you put it directly in squid.conf.

--
Henrik Nordstrom
Squid Hacker
Roland Kärn wrote:
> 
> Hi Henrik,
> 
> hey, that's a quite fast answer! THX alot for your efforts!
> But I think, your support is urgently needed, because of the lack of
> documentation....
> I'm sorry to say that, but I read the man pages 2,3 and 10 times but I didn't
> got any glue how to ask not only for the user, but also for specific
> attributes in an ldap-profile for a certain user.
> That's also the reason, why I wrote a perl-skript....
> You are right of course, saying, that not squid but the clients browser raises
> the window asking for a user and password - it wasn't good enough expressed by
> me. It's origin starts at squid. That's it.
> 
> Ok. So I have to ask you for the right parameters for squid_ldap_auth in
> behalf of asking the ldap-server not only for a certain user and his password
> but also for a certain attribute, which allows him/her to surf the internet.
> The dn, uid, scope and other stuff seems to be clear for me.
> What I'm looking for, is the parameter of squid_ldap_auth to ask for the
> attribute which names "nsmsgdissallowaccess" and contains *several*
> parameters. I.e. the line is
> nsmsgdissallowaccess=pop http
> So, I have to pick the information (string 'http'), which says "no", this user
> isn't allowed to surf. And subsequently the squid_ldap_auth-program has to
> return ERR to squid.
> 
> How to manage this?
> 
> Concerning the hint with the wrapping shell-script, I saw such a script
> already in the mailing-list and I have to try it. I will do that today.
> 
> So I hope you can pass over another hint. Thanks as always!
> BTW: where are you? I see from your name you are from Sweden? Are you joining
> the squid-project from there?
> 
> Have a nice day!
> 
> Sebastian