Re: [squid-users] Squid_ldap_group

You can (and probably should) take away the proxy_auth ACL. Not needed.
The ldapou will automatically invoke authenticateion as you have specified
%LOGIN as a requirement to the external_acl type.

proxy_auth acl types is used if you want to build manual lists of users,
and there you can use the magic keyword "REQUIRED" to match all users
with no exceptions.

So what the lines

acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth

says is that all authenticated users are to be granted access.

and the lines

acl ou_Testing external ldapou Testing
http_access allow ou_Testings

says that only users belonging to the Testing OU in your LDAP tree is to
be allowed.

The first http_access line that fully matches the request will determine
if the request is allowed or not (fully matches = all acl names listed on
that http_access line is true), and as you allow all users access before
where you allow only Testing users access all your users will have access,
not only the Testing ones.

Should perhaps mention that if your goal is to only allow users from a
specific OU in your LDAP tree and your LDAP tree is orgnised using OU
based subtrees then you do not really need to use squid_ldap_match. You
can then specify to squid_ldap_auth to use the OU as base DN, and
squid_ldap_auth will only ever find users who are below this OU in your
LDAP tree.. but if you plan on allowing more than one OU, or want to base
access on group memberships then squid_ldap_group will be needed.

Regards
Henrik

On Fri, 25 Oct 2002, Jack wrote:

> But when i configured squid_ldap_auth and my configuration looks like
>
> auth_param basic program /usr/local/squid25S1/libexec/squid_ldap_auth -b
> dc=xxx,dc=com -f uid=%s localhost
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> external_acl_type ldapou %LOGIN /usr/local/squid/libexec/squid_ldap_group -b
> "dc=xxx,dc=com" -f "(&(uid=%v)(ou=%a))" -h localhost
> acl ou_testing external ldapou Testing
> acl ldapauth proxy_auth REQUIRED
> http_access allow ldapauth
> http_access allow ou_testing
> http_access deny all
>
> Here even users from other than "Testing" group can also able to browse but
> i need only group "Testing" should browse and others should deny.
>
> So i tried after changing http_access rules as
> http_access allow ldapauth ou_testing
> http_access deny all
>
> Here i got page not found page.
>
> As i did not find any information regarding this in squid_ldap_auth and
> squid_ldap_group i am not able to proceed.
>
> Thanks
> Jack
>
>
> > Yes.
> >
> > The squid_ldap_group only performs group membership lookups and need a
> > authentication method defined to allow the user to log in. To use LDAP
> > authentication you will also need to configure Squid to use
> > squid_ldap_auth for authentication, and squid_ldap_group for group
> > membership verifications.
> >
> > See the auth_param directive and the squid_ldap_auth basic authentication
> > helper.
> >
> > Regards
> > Henrik
> >
> >
> > On Fri, 25 Oct 2002, Jack wrote:
> >
> > > Hello Henrik,
> > >
> > > Thanks,
> > > When i configured proxy in browser and try to browse i did not get
> > > authentication window.
> > >
> > > Do i need to configure LDAP authentication program?
> > >
> > > Regards
> > > Jack
> > >
> > > > Sorry, the acl line should obviously read
> > > >
> > > > acl ou_testing external ldapou Testing
> > > >
> > > > Regards
> > > > Henrik
> > > >
> > > >
> > > > Jack wrote:
> > > > > Hello Henrik,
> > > > >
> > > > > While i run squid after changing squid configuration according to
> your
> > > > > guide i got following error:
> > > > >
> > > > > 2002/10/24 19:08:41| squid.conf line 1287: acl ou_testing ldapou
> Testing
> > > > > 2002/10/24 19:08:41| aclParseAclLine: Invalid ACL type 'ldapou'
> > > > > 2002/10/24 19:08:41| squid.conf line 1766: http_access allow ldapou
> > > > > 2002/10/24 19:08:41| aclParseAccessLine: ACL name 'ldapou' not
> found.
> > > > > 2002/10/24 19:08:41| squid.conf line 1766: http_access allow ldapou
> > > > > 2002/10/24 19:08:41| aclParseAccessLine: Access line contains no
> ACL's,
> > > > > skipping
> > > > >
> > > > > I Compiled squid with following configuration option:
> > > > >
> ./configure --prefix=/usr/local/squid25S1 --enable-snmp --enable-ssl
> > > > > --enab le-external-acl-helpers="ldap_group"
> > > > >
> > > > > How to set acl for ldap_group
> > > > >
> > > > > Thanks,
> > > > > Jack
> > > > >
> > > > > > The -f argument to suqid_ldap_group needs to contain special codes
> > > > > > referring to the login or group names. The correct
> external_acl_type
> > > > > > line reads:
> > > > > >
> > > > > > external_acl_type ldapou %LOGIN
> > > > > > /usr/local/squid/libexec/squid_ldap_group -b "dc=xxx,dc=com" -f
> > > > > > "(&(uid=%v)(ou=%a))" -h localhost
> > > > > >
> > > > > > acl ou_testing ldapou Testing
> > > > > >
> > > > > > These magic codes is documented in the squid_ldap_group
> documentation
> > > > > > shipped with Squid.
> > > > > >
> > > > > > Regards
> > > > > > Henrik Nordström
> > > > >
> > > > > __________________________________________________
> > > > > Do You Yahoo!?
> > > > > Everything you'll ever need on one web page
> > > > > from News and Sport to Email and Music Charts
> > > > > http://uk.my.yahoo.com
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Everything you'll ever need on one web page
> > > from News and Sport to Email and Music Charts
> > > http://uk.my.yahoo.com
> > >
>
> __________________________________________________
> Do You Yahoo!?
> Everything you'll ever need on one web page
> from News and Sport to Email and Music Charts
> http://uk.my.yahoo.com
>
Received on Fri Oct 25 2002 - 09:01:07 MDT