Re: [squid-users] Squid_ldap_group

From: Jack <sa_jill@dont-contact.us>
Date: Sat, 26 Oct 2002 09:40:12 +0530

Hello Henrik,

Sorry i did not notice the cache.log

I found a message in cache.log as

2002/10/26 09:20:34| helperOpenServers: Starting 5 'squid_ldap_auth'
processes
2002/10/26 09:20:34| helperOpenServers: Starting 5 'squid_ldap_group'
processes
2002/10/26 09:20:34| ipcCreate: /usr/local/squid/libexec/squid_ldap_group:
(2) No such file or directory
2002/10/26 09:20:34| ipcCreate: /usr/local/squid/libexec/squid_ldap_group:
(2) No such file or directory
2002/10/26 09:20:34| ipcCreate: /usr/local/squid/libexec/squid_ldap_group:
(2) No such file or directory
2002/10/26 09:20:34| ipcCreate: /usr/local/squid/libexec/squid_ldap_group:
(2) No such file or directory
2002/10/26 09:20:34| ipcCreate: /usr/local/squid/libexec/squid_ldap_group:
(2) No such file or directory
2002/10/26 09:20:34| Unlinkd pipe opened on FD 20
2002/10/26 09:20:34| Swap maxSize 102400 KB, estimated 7876 objects

But configured squid as
./configure --prefix=/usr/local/squid25S1 --enable-snmp --enable-ssl --enab
le-external-acl-helpers=ldap_group

How to make squid to look squid_ldap_group from
/usr/local/squid25S1/libexec/

I am using squid-2.5.STABLE1-20020927 daily snapshot

> Hello Henrik,
>
> acl ou_Testing external ldapou Testing
> http_access allow ou_Testing
> http_access deny all
>
> If i set this rules as said earlier i am getting error as
>
> The page cannot be displayed
> The page you are looking for is currently unavailable. The Web site might
be
> experiencing technical difficulties, or you may need to adjust your
browser
> settings.
> -----
> ----
> ----
>
> But i am able to get page without proxy setting and without
squid_ldap_group
> helper(configured only squid_ldap_auth and proxy_auth acl).
>
> I want to set access rules based on groups.
>
> For testing i am using only one group.
>
> Thanks
> Jack
>
> >
> > You can (and probably should) take away the proxy_auth ACL. Not needed.
> > The ldapou will automatically invoke authenticateion as you have
specified
> > %LOGIN as a requirement to the external_acl type.
> >
> > proxy_auth acl types is used if you want to build manual lists of users,
> > and there you can use the magic keyword "REQUIRED" to match all users
> > with no exceptions.
> >
> > So what the lines
> >
> > acl ldapauth proxy_auth REQUIRED
> > http_access allow ldapauth
> >
> > says is that all authenticated users are to be granted access.
> >
> >
> > and the lines
> >
> > acl ou_Testing external ldapou Testing
> > http_access allow ou_Testings
> >
> > says that only users belonging to the Testing OU in your LDAP tree is to
> > be allowed.
> >
> >
> > The first http_access line that fully matches the request will determine
> > if the request is allowed or not (fully matches = all acl names listed
on
> > that http_access line is true), and as you allow all users access before
> > where you allow only Testing users access all your users will have
access,
> > not only the Testing ones.
> >
> >
> > Should perhaps mention that if your goal is to only allow users from a
> > specific OU in your LDAP tree and your LDAP tree is orgnised using OU
> > based subtrees then you do not really need to use squid_ldap_match. You
> > can then specify to squid_ldap_auth to use the OU as base DN, and
> > squid_ldap_auth will only ever find users who are below this OU in your
> > LDAP tree.. but if you plan on allowing more than one OU, or want to
base
> > access on group memberships then squid_ldap_group will be needed.
> >
> > Regards
> > Henrik
> >
> >
> > On Fri, 25 Oct 2002, Jack wrote:
> >
> > > But when i configured squid_ldap_auth and my configuration looks like
> > >
> > > auth_param basic program
/usr/local/squid25S1/libexec/squid_ldap_auth -b
> > > dc=xxx,dc=com -f uid=%s localhost
> > > auth_param basic children 5
> > > auth_param basic realm Squid proxy-caching web server
> > > auth_param basic credentialsttl 2 hours
> > > external_acl_type ldapou %LOGIN
> /usr/local/squid/libexec/squid_ldap_group -b
> > > "dc=xxx,dc=com" -f "(&(uid=%v)(ou=%a))" -h localhost
> > > acl ou_testing external ldapou Testing
> > > acl ldapauth proxy_auth REQUIRED
> > > http_access allow ldapauth
> > > http_access allow ou_testing
> > > http_access deny all
> > >
> > > Here even users from other than "Testing" group can also able to
browse
> but
> > > i need only group "Testing" should browse and others should deny.
> > >
> > > So i tried after changing http_access rules as
> > > http_access allow ldapauth ou_testing
> > > http_access deny all
> > >
> > > Here i got page not found page.
> > >
> > > As i did not find any information regarding this in squid_ldap_auth
and
> > > squid_ldap_group i am not able to proceed.
> > >
> > > Thanks
> > > Jack
> > >
> > >
> > > > Yes.
> > > >
> > > > The squid_ldap_group only performs group membership lookups and need
a
> > > > authentication method defined to allow the user to log in. To use
LDAP
> > > > authentication you will also need to configure Squid to use
> > > > squid_ldap_auth for authentication, and squid_ldap_group for group
> > > > membership verifications.
> > > >
> > > > See the auth_param directive and the squid_ldap_auth basic
> authentication
> > > > helper.
> > > >
> > > > Regards
> > > > Henrik
> > > >
> > > >
> > > > On Fri, 25 Oct 2002, Jack wrote:
> > > >
> > > > > Hello Henrik,
> > > > >
> > > > > Thanks,
> > > > > When i configured proxy in browser and try to browse i did not get
> > > > > authentication window.
> > > > >
> > > > > Do i need to configure LDAP authentication program?
> > > > >
> > > > > Regards
> > > > > Jack
> > > > >
> > > > > > Sorry, the acl line should obviously read
> > > > > >
> > > > > > acl ou_testing external ldapou Testing
> > > > > >
> > > > > > Regards
> > > > > > Henrik
> > > > > >
> > > > > >
> > > > > > Jack wrote:
> > > > > > > Hello Henrik,
> > > > > > >
> > > > > > > While i run squid after changing squid configuration according
> to
> > > your
> > > > > > > guide i got following error:
> > > > > > >
> > > > > > > 2002/10/24 19:08:41| squid.conf line 1287: acl ou_testing
ldapou
> > > Testing
> > > > > > > 2002/10/24 19:08:41| aclParseAclLine: Invalid ACL type
'ldapou'
> > > > > > > 2002/10/24 19:08:41| squid.conf line 1766: http_access allow
> ldapou
> > > > > > > 2002/10/24 19:08:41| aclParseAccessLine: ACL name 'ldapou' not
> > > found.
> > > > > > > 2002/10/24 19:08:41| squid.conf line 1766: http_access allow
> ldapou
> > > > > > > 2002/10/24 19:08:41| aclParseAccessLine: Access line contains
no
> > > ACL's,
> > > > > > > skipping
> > > > > > >
> > > > > > > I Compiled squid with following configuration option:
> > > > > > >
> > > ./configure --prefix=/usr/local/squid25S1 --enable-snmp --enable-ssl
> > > > > > > --enab le-external-acl-helpers="ldap_group"
> > > > > > >
> > > > > > > How to set acl for ldap_group
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Jack
> > > > > > >
> > > > > > > > The -f argument to suqid_ldap_group needs to contain special
> codes
> > > > > > > > referring to the login or group names. The correct
> > > external_acl_type
> > > > > > > > line reads:
> > > > > > > >
> > > > > > > > external_acl_type ldapou %LOGIN
> > > > > > > > /usr/local/squid/libexec/squid_ldap_group -b
> "dc=xxx,dc=com" -f
> > > > > > > > "(&(uid=%v)(ou=%a))" -h localhost
> > > > > > > >
> > > > > > > > acl ou_testing ldapou Testing
> > > > > > > >
> > > > > > > > These magic codes is documented in the squid_ldap_group
> > > documentation
> > > > > > > > shipped with Squid.
> > > > > > > >
> > > > > > > > Regards
> > > > > > > > Henrik Nordström
> > > > > > >
> > > > > > > __________________________________________________
> > > > > > > Do You Yahoo!?
> > > > > > > Everything you'll ever need on one web page
> > > > > > > from News and Sport to Email and Music Charts
> > > > > > > http://uk.my.yahoo.com
> > > > >
> > > > > __________________________________________________
> > > > > Do You Yahoo!?
> > > > > Everything you'll ever need on one web page
> > > > > from News and Sport to Email and Music Charts
> > > > > http://uk.my.yahoo.com
> > > > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Everything you'll ever need on one web page
> > > from News and Sport to Email and Music Charts
> > > http://uk.my.yahoo.com
> > >
>
> __________________________________________________
> Do You Yahoo!?
> Everything you'll ever need on one web page
> from News and Sport to Email and Music Charts
> http://uk.my.yahoo.com

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
Received on Fri Oct 25 2002 - 21:58:27 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:55 MST