Re: [squid-users] SOLUTION Syntax Correct group_ldap_auth !

And thanks to you ROUTIER, I got my config also right. I had to make one
change, though.

external_acl_type ldapgroup %LOGIN
/usr/local/squid/libexec/squid_ldap_group -b "O=Southern Railway" -f
"(&(cn=%a)(member=cn=%v,O=Southern Railway)(objectClass=groupOfNames))" -h
10.5.2.191
                            ^^^^^^^^^^^^^^^^
Can somebody tell me why I need to add the base dn after member=cn=%v ?

Some more questions,

1. With the same setup (squid + ldap) 1. Is it possible to tie a user a
particula ip address ? Like force him authenticate only from a particular
machine ?
2. Can I limit the time per day ? for example allow him to browse for one
hour between 10:00 to 17:00 hrs monday to friday

3. I constructed an acl to permit a user only between 12.30 to 14.00 hrs on
Monday - Friday. Then I tried to display a custom error message,
but it is not working. Can somebody help ? The config is as follows

acl ldap_lunchbrowse external ldapgroup lunchbrowsers --- works fine
acl permit_lunchtime time MTWHFS 12:30-14:00 --- works fine
deny_info ERR_LUNCH_TIME ldap_lunchbrowse --- no luck

http_access allow ldap_lunchbrowse permit_lunchtime --- works without the
custom error message.

Sincere thanks to henrik for his patience with me :-) Thanks to your help I
am now able to get my basic setup going, and am looking forward to replacing
our MS Proxy server with Squid 2.5.

Regards,
Michael Fuller

----- Original Message -----
From: "ROUTIER Gilles" <gilles.routier@cicoa.cnamts.fr>
To: "Henrik Nordstrom" <hno@squid-cache.org>
Cc: "Squid User" <squid-users@squid-cache.org>; "Cesar Gomes"
<Cesar.Gomes@lintec.com.br>; "Michael Fuller" <fullerms@hotmail.com>
Sent: Friday, November 08, 2002 7:08 PM
Subject: Re: [squid-users] SOLUTION Syntax Correct group_ldap_auth !

> Thanks for all Henrik,
> I've found the solution in squid_ldap_group.8 Documentation :
> //////////////////////////////
> .BI "-f " filter
> LDAP search filter used to search the LDAP directory for any
> matching group memberships.
> .BR
> In the filter %v will be replaces by the user login name
> and %a by the requested group name.
> ///////////////////////////////
>
> The cn is not %v but %a and the uniquemember is not %d but %v.
>
> SO THE GOOD SYNTAX IS :
> external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b
> "ou=public,ou=cicoa,o=cnamts,c=fr" -f
> "(&(cn=%a)(uniquemember=uid=%v,*)(objectclass=groupOfUniqueNames))" -h
> hermes1.cicoa.cnamts.fr -p 389
>
> THE BAD SYNTAX :
> external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b
> "ou=public,ou=cicoa,o=cnamts,c=fr" -f
> "(&(cn=%v)(uniquemember=uid=%d,*)(objectclass=groupOfUniqueNames))" -h
> hermes1.cicoa.cnamts.fr -p 389
>
> Thanks for all !
> Regards
> Gilles
>
> Henrik Nordstrom a écrit :
>
> > tor 2002-11-07 klockan 14.39 skrev ROUTIER Gilles:
> >
> > > I would like tu use group_ldap_auth
> > > I have a group which names INTERNET, and I would want that only the
persons of this
> > > group can reach Proxy.
> > > But, I do not know or to specify the name of the group ?
> > > You can say to me if the syntax is correct?
> >
> > It depends on what your LDAP group objects looks like.
> >
> > > external_acl_type ldapou %LOGIN /usr/lib/squid/group_ldap_auth -b
> > > "ou=public,ou=cicoa,o=cnamts,c=fr" -f
"(&(cn=INTERNET)(uid=%v)(ou=%a))" -h
> > > hermes1.cicoa.cnamts.fr -p 389
> >
> > Your filter does not look right. "(&(cn=%v)(uid=%v))" might work, but
> > more likely the group filter you are after looks something like
> > "(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))".
> >
> > What is the output of
> >
> > ldapsearch -x -b "ou=public,ou=cicoa,o=cnamts,c=fr" cn=INTERNET
> >
> > Regards
> > Henrik Nordström
> > MARA Systems AB, Sweden
>
Received on Sat Nov 09 2002 - 00:56:44 MST