Re: [squid-users] SOLUTION Syntax Correct group_ldap_auth !

deny_info looks at the last acl used on the http_access line..

Why you need to have the full DN in your search pattern is most likely a
limitation in your LDAP server, not allowing pattern searches on the
member attribute.

There is a update to squid_ldap_group in the pipeline, which will do group
lookups capabilities based on the users full DN by first constructing a
full user DN as done by squid_ldap_auth and then search your groups for
this DN.

Regards
Henrik

On Sat, 9 Nov 2002, Michael Fuller / Hotmail wrote:

> And thanks to you ROUTIER, I got my config also right. I had to make one
> change, though.
>
> external_acl_type ldapgroup %LOGIN
> /usr/local/squid/libexec/squid_ldap_group -b "O=Southern Railway" -f
> "(&(cn=%a)(member=cn=%v,O=Southern Railway)(objectClass=groupOfNames))" -h
> 10.5.2.191
> ^^^^^^^^^^^^^^^^
> Can somebody tell me why I need to add the base dn after member=cn=%v ?
>
> Some more questions,
>
> 1. With the same setup (squid + ldap) 1. Is it possible to tie a user a
> particula ip address ? Like force him authenticate only from a particular
> machine ?
> 2. Can I limit the time per day ? for example allow him to browse for one
> hour between 10:00 to 17:00 hrs monday to friday
>
> 3. I constructed an acl to permit a user only between 12.30 to 14.00 hrs on
> Monday - Friday. Then I tried to display a custom error message,
> but it is not working. Can somebody help ? The config is as follows
>
> acl ldap_lunchbrowse external ldapgroup lunchbrowsers --- works fine
> acl permit_lunchtime time MTWHFS 12:30-14:00 --- works fine
> deny_info ERR_LUNCH_TIME ldap_lunchbrowse --- no luck
>
> http_access allow ldap_lunchbrowse permit_lunchtime --- works without the
> custom error message.
>
> Sincere thanks to henrik for his patience with me :-) Thanks to your help I
> am now able to get my basic setup going, and am looking forward to replacing
> our MS Proxy server with Squid 2.5.
>
> Regards,
> Michael Fuller
>
> ----- Original Message -----
> From: "ROUTIER Gilles" <gilles.routier@cicoa.cnamts.fr>
> To: "Henrik Nordstrom" <hno@squid-cache.org>
> Cc: "Squid User" <squid-users@squid-cache.org>; "Cesar Gomes"
> <Cesar.Gomes@lintec.com.br>; "Michael Fuller" <fullerms@hotmail.com>
> Sent: Friday, November 08, 2002 7:08 PM
> Subject: Re: [squid-users] SOLUTION Syntax Correct group_ldap_auth !
>
>
> > Thanks for all Henrik,
> > I've found the solution in squid_ldap_group.8 Documentation :
> > //////////////////////////////
> > .BI "-f " filter
> > LDAP search filter used to search the LDAP directory for any
> > matching group memberships.
> > .BR
> > In the filter %v will be replaces by the user login name
> > and %a by the requested group name.
> > ///////////////////////////////
> >
> > The cn is not %v but %a and the uniquemember is not %d but %v.
> >
> > SO THE GOOD SYNTAX IS :
> > external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b
> > "ou=public,ou=cicoa,o=cnamts,c=fr" -f
> > "(&(cn=%a)(uniquemember=uid=%v,*)(objectclass=groupOfUniqueNames))" -h
> > hermes1.cicoa.cnamts.fr -p 389
> >
> > THE BAD SYNTAX :
> > external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b
> > "ou=public,ou=cicoa,o=cnamts,c=fr" -f
> > "(&(cn=%v)(uniquemember=uid=%d,*)(objectclass=groupOfUniqueNames))" -h
> > hermes1.cicoa.cnamts.fr -p 389
> >
> > Thanks for all !
> > Regards
> > Gilles
> >
> > Henrik Nordstrom a écrit :
> >
> > > tor 2002-11-07 klockan 14.39 skrev ROUTIER Gilles:
> > >
> > > > I would like tu use group_ldap_auth
> > > > I have a group which names INTERNET, and I would want that only the
> persons of this
> > > > group can reach Proxy.
> > > > But, I do not know or to specify the name of the group ?
> > > > You can say to me if the syntax is correct?
> > >
> > > It depends on what your LDAP group objects looks like.
> > >
> > > > external_acl_type ldapou %LOGIN /usr/lib/squid/group_ldap_auth -b
> > > > "ou=public,ou=cicoa,o=cnamts,c=fr" -f
> "(&(cn=INTERNET)(uid=%v)(ou=%a))" -h
> > > > hermes1.cicoa.cnamts.fr -p 389
> > >
> > > Your filter does not look right. "(&(cn=%v)(uid=%v))" might work, but
> > > more likely the group filter you are after looks something like
> > > "(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))".
> > >
> > > What is the output of
> > >
> > > ldapsearch -x -b "ou=public,ou=cicoa,o=cnamts,c=fr" cn=INTERNET
> > >
> > > Regards
> > > Henrik Nordström
> > > MARA Systems AB, Sweden
> >
>
Received on Sat Nov 09 2002 - 01:57:51 MST