Re: [squid-users] Syntax Correct group_ldap_auth ?

And why are you using group_ldap_auth? group_ldap_auth is not a
external_cl helper, it is a helper to the "LDAP Group auth patch".

The external_acl LDAP group helper is squid_ldap_group

Regarding the group name: The best way to supply group names to
squid_ldap_group is via the acl definition.

external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b
"ou=public,ou=cicoa,o=cnamts,c=fr" -f
(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))" -h
hermes1.cicoa.cnamts.fr

acl group_Internet ldapgroup Internet

But to tell if the filter is correct you need to look at how your Group
LDAP objects is constructed. This is best done with the ldapsearch
command.

Regards
Henrik

tor 2002-11-07 klockan 16.16 skrev ROUTIER Gilles:
> Thanks Henrik.
>
> My browser asks me indeed for the authentification, but he sends back me "access denied"
> while I make left well the Internet group.
>
> A question Henrik :
> Where i define the name of the group in which to do the searchresearch ?
> I want that only the users belonging to the internet group have access to the proxy.
>
> My squid.conf
> auth_param basic program /usr/lib/squid/squid_ldap_auth -u uid -b
> ou=public,ou=cicoa,o=cnamts,c=fr -h hermes1.cicoa.cnamts.fr -p 389
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web serveruth_param basic program
> auth_param basic credentialsttl 2 hours
>
> external_acl_type ldapou %LOGIN /usr/lib/squid/group_ldap_auth -b
> "ou=public,ou=cicoa,o=cnamts,c=fr" -f
> "(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))" -h hermes1.cicoa.cnamts.fr -p 389
>
> acl ou_Testing external ldapou GR-I-CICOA
> http_access allow ou_Testing
> http_access deny all
>
> INFO : The really name of the group in my LDAP DB is GR-I-CICOA
>
> THANKS FOR ALL HENRIK !
>
> Henrik Nordstrom a écrit :
>
> > tor 2002-11-07 klockan 14.39 skrev ROUTIER Gilles:
> >
> > > I would like tu use group_ldap_auth
> > > I have a group which names INTERNET, and I would want that only the persons of this
> > > group can reach Proxy.
> > > But, I do not know or to specify the name of the group ?
> > > You can say to me if the syntax is correct?
> >
> > It depends on what your LDAP group objects looks like.
> >
> > > external_acl_type ldapou %LOGIN /usr/lib/squid/group_ldap_auth -b
> > > "ou=public,ou=cicoa,o=cnamts,c=fr" -f "(&(cn=INTERNET)(uid=%v)(ou=%a))" -h
> > > hermes1.cicoa.cnamts.fr -p 389
> >
> > Your filter does not look right. "(&(cn=%v)(uid=%v))" might work, but
> > more likely the group filter you are after looks something like
> > "(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))".
> >
> > What is the output of
> >
> > ldapsearch -x -b "ou=public,ou=cicoa,o=cnamts,c=fr" cn=INTERNET
> >
> > Regards
> > Henrik Nordström
> > MARA Systems AB, Sweden
Received on Thu Nov 07 2002 - 10:31:49 MST