Thanks for all Henrik,
I've found the solution in squid_ldap_group.8 Documentation :
//////////////////////////////
.BI "-f " filter
LDAP search filter used to search the LDAP directory for any
matching group memberships.
.BR
In the filter %v will be replaces by the user login name
and %a by the requested group name.
///////////////////////////////
The cn is not %v but %a and the uniquemember is not %d but %v.
SO THE GOOD SYNTAX IS :
external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b
"ou=public,ou=cicoa,o=cnamts,c=fr" -f
"(&(cn=%a)(uniquemember=uid=%v,*)(objectclass=groupOfUniqueNames))" -h
hermes1.cicoa.cnamts.fr -p 389
THE BAD SYNTAX :
external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b
"ou=public,ou=cicoa,o=cnamts,c=fr" -f
"(&(cn=%v)(uniquemember=uid=%d,*)(objectclass=groupOfUniqueNames))" -h
hermes1.cicoa.cnamts.fr -p 389
Thanks for all !
Regards
Gilles
Henrik Nordstrom a écrit :
> tor 2002-11-07 klockan 14.39 skrev ROUTIER Gilles:
>
> > I would like tu use group_ldap_auth
> > I have a group which names INTERNET, and I would want that only the persons of this
> > group can reach Proxy.
> > But, I do not know or to specify the name of the group ?
> > You can say to me if the syntax is correct?
>
> It depends on what your LDAP group objects looks like.
>
> > external_acl_type ldapou %LOGIN /usr/lib/squid/group_ldap_auth -b
> > "ou=public,ou=cicoa,o=cnamts,c=fr" -f "(&(cn=INTERNET)(uid=%v)(ou=%a))" -h
> > hermes1.cicoa.cnamts.fr -p 389
>
> Your filter does not look right. "(&(cn=%v)(uid=%v))" might work, but
> more likely the group filter you are after looks something like
> "(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))".
>
> What is the output of
>
> ldapsearch -x -b "ou=public,ou=cicoa,o=cnamts,c=fr" cn=INTERNET
>
> Regards
> Henrik Nordström
> MARA Systems AB, Sweden
Received on Fri Nov 08 2002 - 06:40:28 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:15 MST