Re: [squid-users] Syntax Correct group_ldap_auth ? from Michael Fuller / Hotmail on 2002-11-08 (squid-users)

From: Michael Fuller / Hotmail <fullerms@dont-contact.us>
Date: Fri, 8 Nov 2002 14:49:08 +0530

Hello Henrik,

I followed the syntax given in this message, but no luck. The command line
output from ldapsearch and squid_ldap_group are pasted below for reference.
Can you please tell me where I am going wrong ?

----------------------------ldapsearch-----------------------

[root@rhmail root]# ldapsearch -x -b "O=Southern Railway"
"(&(member=cn=dycsteofc,O=Southern Railway)(objectclass=groupofNames))" cn
version: 2
#
# filter: (&(member=cn=dycsteofc,O=Southern
Railway)(objectclass=groupofNames))
# requesting: cn
#
# browsers, Southern Railway
dn: cn=browsers,o=Southern Railway
cn: browsers
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

-----------------------------------squid_ldap_group-------------------------

---
[root@rhmail root]# /usr/local/squid/libexec/squid_ldap_group -b "O=Southern
Railway" -f "(&(member=cn=%v,*)(objectclass=groupofNames))" -d 255
dycsteofc browsers
Binding OK
filter (&(member=cn=dycsteofc,*)(objectclass=groupofNames))
Binding OK
filter (&(member=cn=dycsteofc,*)(objectclass=groupofNames))
ERR
Regards,
Michael Fuller
----- Original Message -----
From: "ROUTIER Gilles" <gilles.routier@cicoa.cnamts.fr>
To: "Henrik Nordstrom" <hno@squid-cache.org>
Cc: "Squid Users" <squid-users@squid-cache.org>
Sent: Friday, November 08, 2002 12:27 AM
Subject: Re: [squid-users] Syntax Correct group_ldap_auth ?
> Henrik Nordstrom a écrit :
>
> > The command line tool ldapsearch (part of OpenLDAP) is a good tool for
> > experimenting with various LDAP Search filters.
>
> If i use LdapSearch (part of OpenLDAP) on the squid proxy
>
> =>ldapsearch -x -b "ou=public,ou=cicoa,o=cnamts,c=fr" cn=GR-I-CICOA -h
hermes1.cicoa.cnamts.fr -p
> 389
> => Response :
> version: 2
>
> #
> # filter: cn=GR-I-CICOA
> # requesting: ALL
> #
>
> # GR-I-CICOA, public, cicoa, cnamts, fr
> dn: cn=GR-I-CICOA,ou=public, ou=cicoa, o=cnamts, c=fr
> objectclass: top
> objectclass: groupOfUniqueNames
> objectclass: mailGroup
> cn: GR-I-CICOA
> description: Groupe Internet du CICOA
> mail: GR-I-CICOA@cicoa.cnamts.fr
> uniquemember: uid=ROUTIER-00138, ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=GUILLOTIN-00185,ou=Public,ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=LAUBAT-00170, ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=HEMERY-00078, ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=BENOIT-00048, ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=BOUVIER-00056, ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=ROSE-00053, ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=OLIVAUX-00105, ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=GALLOU-00502, ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=INTERNET.CEIR-00001,ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=INTERNET.CNF-00001,ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=INTERNET.PROD-00001,ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=INTERNET.SIEGE-00001,ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=peyraud-00163,ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=GARCIA-00153,ou=Public,ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=CHARLUET-00035, ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=BRAULT-00020, ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=TUFFERY-00521,ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=SAULOU-00169, ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=assist.dir-00001,ou=public, ou=cicoa, o=cnamts, c=fr
> uniquemember: uid=HOUILLOT-00728, ou=public, ou=cicoa, o=cnamts, c=fr
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
>
>
> >
> > Regards
> > Henrik
> >
> > tor 2002-11-07 klockan 19.01 skrev ROUTIER Gilles:
> > >  Thank you still Henrik,
> > >
> > > The authentification is well made because if I make a mistake about
password, he asks me for a
> > > piece of news to authenticate me.
> > > On the other hand if the authentification is good, it sends back me "
Acces Denied ".
> > >
> > > My Squid.conf
> > > auth_param basic program /usr/lib/squid/squid_ldap_auth -u uid -b
> > > ou=public,ou=cicoa,o=cnamts,c=fr -h hermes1.cicoa.cnamts.fr -p 389
> > > auth_param basic children 5
> > > auth_param basic realm Squid proxy-caching web serveruth_param basic
program
> > > auth_param basic credentialsttl 2 hours
> > >
> > > external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b
> > > "ou=public,ou=cicoa,o=cnamts,c=fr" -f
"(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))"
> > > -h hermes1.cicoa.cnamts.fr -p 389
> > >
> > > acl group_Internet external ldapgroup GR-I-CICOA
> > > http_access allow group_Internet
> > > http_access deny all
> > >
> > > My Acces.log
> > > 1036690720.508    355 55.7.6.13 TCP_DENIED/407 1922 GET
http://55.5.20.100/ sdfsdf NONE/-
> > > text/html
> > > 1036690727.644    801 55.7.6.13 TCP_DENIED/403 1466 GET
http://55.5.20.100/ routier-00138
> > > NONE/- text/html
> > >
> > > Henrik Nordstrom a écrit :
> > >
> > > > And why are you using group_ldap_auth? group_ldap_auth is not a
> > > > external_cl helper, it is a helper to the "LDAP Group auth patch".
> > > >
> > > > The external_acl LDAP group helper is squid_ldap_group
> > > >
> > > > Regarding the group name: The best way to supply group names to
> > > > squid_ldap_group is via the acl definition.
> > > >
> > > > external_acl_type ldapgroup %LOGIN
/usr/lib/squid/squid_ldap_group -b
> > > > "ou=public,ou=cicoa,o=cnamts,c=fr" -f
> > > > (&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))" -h
> > > > hermes1.cicoa.cnamts.fr
> > > >
> > > > acl group_Internet ldapgroup Internet
> > > >
> > > > But to tell if the filter is correct you need to look at how your
Group
> > > > LDAP objects is constructed. This is best done with the ldapsearch
> > > > command.
> > > >
> > > > Regards
> > > > Henrik
> > > >
> > > > tor 2002-11-07 klockan 16.16 skrev ROUTIER Gilles:
> > > > > Thanks Henrik.
> > > > >
> > > > > My browser asks me indeed for the authentification, but he sends
back me "access denied"
> > > > > while I make left well the Internet group.
> > > > >
> > > > > A question Henrik :
> > > > > Where i define the name of the group in which to do the
searchresearch ?
> > > > > I want that only the users belonging to the internet group have
access to the proxy.
> > > > >
> > > > > My squid.conf
> > > > > auth_param basic program /usr/lib/squid/squid_ldap_auth -u uid -b
> > > > > ou=public,ou=cicoa,o=cnamts,c=fr -h hermes1.cicoa.cnamts.fr -p 389
> > > > > auth_param basic children 5
> > > > > auth_param basic realm Squid proxy-caching web serveruth_param
basic program
> > > > > auth_param basic credentialsttl 2 hours
> > > > >
> > > > > external_acl_type ldapou %LOGIN /usr/lib/squid/group_ldap_auth -b
> > > > > "ou=public,ou=cicoa,o=cnamts,c=fr" -f
> > > > > "(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))" -h
hermes1.cicoa.cnamts.fr -p 389
> > > > >
> > > > > acl ou_Testing external ldapou GR-I-CICOA
> > > > > http_access allow ou_Testing
> > > > > http_access deny all
> > > > >
> > > > > INFO : The really name of the group in my LDAP DB is  GR-I-CICOA
> > > > >
> > > > > THANKS FOR ALL HENRIK !
> > > > >
> > > > > Henrik Nordstrom a écrit :
> > > > >
> > > > > > tor 2002-11-07 klockan 14.39 skrev ROUTIER Gilles:
> > > > > >
> > > > > > > I would like tu use group_ldap_auth
> > > > > > > I have a group which names INTERNET, and I would want that
only the persons of this
> > > > > > > group can reach Proxy.
> > > > > > > But, I do not know or to specify the name of the group ?
> > > > > > > You can say to me if the syntax is correct?
> > > > > >
> > > > > > It depends on what your LDAP group objects looks like.
> > > > > >
> > > > > > > external_acl_type ldapou %LOGIN
/usr/lib/squid/group_ldap_auth -b
> > > > > > > "ou=public,ou=cicoa,o=cnamts,c=fr" -f
"(&(cn=INTERNET)(uid=%v)(ou=%a))" -h
> > > > > > > hermes1.cicoa.cnamts.fr -p 389
> > > > > >
> > > > > > Your filter does not look right. "(&(cn=%v)(uid=%v))" might
work, but
> > > > > > more likely the group filter you are after looks something like
> > > > > > "(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))".
> > > > > >
> > > > > > What is the output of
> > > > > >
> > > > > >   ldapsearch -x -b "ou=public,ou=cicoa,o=cnamts,c=fr"
cn=INTERNET
> > > > > >
> > > > > > Regards
> > > > > > Henrik Nordström
> > > > > > MARA Systems AB, Sweden
>

Received on Fri Nov 08 2002 - 02:20:59 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:14 MST