Re: [squid-users] Squid_ldap_group

From: Jack <sa_jill@dont-contact.us>
Date: Sat, 26 Oct 2002 09:22:52 +0530

Hello Henrik,

acl ou_Testing external ldapou Testing
http_access allow ou_Testing
http_access deny all

If i set this rules as said earlier i am getting error as

The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be
experiencing technical difficulties, or you may need to adjust your browser
settings.
-----

----
----
But i am able to get page without proxy setting and without squid_ldap_group
helper(configured only squid_ldap_auth and proxy_auth acl).
I want to set access rules based on groups.
For testing i am using only one group.
Thanks
Jack
>
> You can (and probably should) take away the proxy_auth ACL. Not needed.
> The ldapou will automatically invoke authenticateion as you have specified
> %LOGIN as a requirement to the external_acl type.
>
> proxy_auth acl types is used if you want to build manual lists of users,
> and there you can use the magic keyword "REQUIRED" to match all users
> with no exceptions.
>
> So what the lines
>
> acl ldapauth proxy_auth REQUIRED
> http_access allow ldapauth
>
> says is that all authenticated users are to be granted access.
>
>
> and the lines
>
> acl ou_Testing external ldapou Testing
> http_access allow ou_Testings
>
> says that only users belonging to the Testing OU in your LDAP tree is to
> be allowed.
>
>
> The first http_access line that fully matches the request will determine
> if the request is allowed or not (fully matches = all acl names listed on
> that http_access line is true), and as you allow all users access before
> where you allow only Testing users access all your users will have access,
> not only the Testing ones.
>
>
> Should perhaps mention that if your goal is to only allow users from a
> specific OU in your LDAP tree and your LDAP tree is orgnised using OU
> based subtrees then you do not really need to use squid_ldap_match. You
> can then specify to squid_ldap_auth to use the OU as base DN, and
> squid_ldap_auth will only ever find users who are below this OU in your
> LDAP tree.. but if you plan on allowing more than one OU, or want to base
> access on group memberships then squid_ldap_group will be needed.
>
> Regards
> Henrik
>
>
> On Fri, 25 Oct 2002, Jack wrote:
>
> > But when i configured squid_ldap_auth and my configuration looks like
> >
> > auth_param basic program /usr/local/squid25S1/libexec/squid_ldap_auth -b
> > dc=xxx,dc=com -f uid=%s localhost
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > external_acl_type ldapou %LOGIN
/usr/local/squid/libexec/squid_ldap_group -b
> > "dc=xxx,dc=com" -f "(&(uid=%v)(ou=%a))" -h localhost
> > acl ou_testing external ldapou Testing
> > acl ldapauth proxy_auth REQUIRED
> > http_access allow ldapauth
> > http_access allow ou_testing
> > http_access deny all
> >
> > Here even users from other than "Testing" group can also able to browse
but
> > i need only group "Testing" should browse and others should deny.
> >
> > So i tried after changing http_access rules as
> > http_access allow ldapauth ou_testing
> > http_access deny all
> >
> > Here i got page not found page.
> >
> > As i did not find any information regarding this in squid_ldap_auth and
> > squid_ldap_group i am not able to proceed.
> >
> > Thanks
> > Jack
> >
> >
> > > Yes.
> > >
> > > The squid_ldap_group only performs group membership lookups and need a
> > > authentication method defined to allow the user to log in. To use LDAP
> > > authentication you will also need to configure Squid to use
> > > squid_ldap_auth for authentication, and squid_ldap_group for group
> > > membership verifications.
> > >
> > > See the auth_param directive and the squid_ldap_auth basic
authentication
> > > helper.
> > >
> > > Regards
> > > Henrik
> > >
> > >
> > > On Fri, 25 Oct 2002, Jack wrote:
> > >
> > > > Hello Henrik,
> > > >
> > > > Thanks,
> > > > When i configured proxy in browser and try to browse i did not get
> > > > authentication window.
> > > >
> > > > Do i need to configure LDAP authentication program?
> > > >
> > > > Regards
> > > > Jack
> > > >
> > > > > Sorry, the acl line should obviously read
> > > > >
> > > > > acl ou_testing external ldapou Testing
> > > > >
> > > > > Regards
> > > > > Henrik
> > > > >
> > > > >
> > > > > Jack wrote:
> > > > > > Hello Henrik,
> > > > > >
> > > > > > While i run squid after changing squid configuration according
to
> > your
> > > > > > guide i got following error:
> > > > > >
> > > > > > 2002/10/24 19:08:41| squid.conf line 1287: acl ou_testing ldapou
> > Testing
> > > > > > 2002/10/24 19:08:41| aclParseAclLine: Invalid ACL type 'ldapou'
> > > > > > 2002/10/24 19:08:41| squid.conf line 1766: http_access allow
ldapou
> > > > > > 2002/10/24 19:08:41| aclParseAccessLine: ACL name 'ldapou' not
> > found.
> > > > > > 2002/10/24 19:08:41| squid.conf line 1766: http_access allow
ldapou
> > > > > > 2002/10/24 19:08:41| aclParseAccessLine: Access line contains no
> > ACL's,
> > > > > > skipping
> > > > > >
> > > > > > I Compiled squid with following configuration option:
> > > > > >
> > ./configure  --prefix=/usr/local/squid25S1 --enable-snmp --enable-ssl
> > > > > > --enab le-external-acl-helpers="ldap_group"
> > > > > >
> > > > > > How to set acl for ldap_group
> > > > > >
> > > > > > Thanks,
> > > > > > Jack
> > > > > >
> > > > > > > The -f argument to suqid_ldap_group needs to contain special
codes
> > > > > > > referring to the login or group names. The correct
> > external_acl_type
> > > > > > > line reads:
> > > > > > >
> > > > > > > external_acl_type ldapou %LOGIN
> > > > > > > /usr/local/squid/libexec/squid_ldap_group -b
"dc=xxx,dc=com" -f
> > > > > > > "(&(uid=%v)(ou=%a))" -h localhost
> > > > > > >
> > > > > > > acl ou_testing ldapou Testing
> > > > > > >
> > > > > > > These magic codes is documented in the squid_ldap_group
> > documentation
> > > > > > > shipped with Squid.
> > > > > > >
> > > > > > > Regards
> > > > > > > Henrik Nordström
> > > > > >
> > > > > > __________________________________________________
> > > > > > Do You Yahoo!?
> > > > > > Everything you'll ever need on one web page
> > > > > > from News and Sport to Email and Music Charts
> > > > > > http://uk.my.yahoo.com
> > > >
> > > > __________________________________________________
> > > > Do You Yahoo!?
> > > > Everything you'll ever need on one web page
> > > > from News and Sport to Email and Music Charts
> > > > http://uk.my.yahoo.com
> > > >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Everything you'll ever need on one web page
> > from News and Sport to Email and Music Charts
> > http://uk.my.yahoo.com
> >
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

Received on Fri Oct 25 2002 - 21:41:11 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:55 MST