Re: [squid-users] Re: AW: [Group-ldap-auth-help] AD auth with squid 2.5

In message <1044019958.24852.53.camel@henrik.marasystems.com>
          Henrik Nordstrom <hno@squid-cache.org> wrote:

> This is a lot easier with the new version of the LDAP group helper
> available in the current 2.5.STABLE nightly snapshots or from
> http://marasystems.com/download/LDAP_Group/

Yes it was! :)

>
>
> But first you need to decide on what you want to match:
>
> a) member attribute of the group objects
>
> b) memberOf attribute of the user objects
>
> I would recommend matching the member attribute of group objects.

I agree, however that seems more difficult as squid only passes the user name
in the form 'daniel' where as the filter needs it in
'cn=daniel,ou=test,dc=jadeb,dc=com' so I opted for (b).

>
> Then I'd recommend experimenting a little with the ldapsearch command to
> get familiar with the LDAP structure and search filters. It is a quite
> healthy exercise and will make the job of constructing filters for
> squid_ldap_group a lot easier..

I have now and yes you were right, of course.

For future ref, for anyone else with the same problem, here are my squid
settings as the docs are very very short on examples which would have
helped me a lot more:

# First for getting user/pass:
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b "ou=test,dc=jadeb,dc=com" -u cn -h 192.168.***.23
acl dozeusers proxy_auth REQUIRED

# Then group membership:
external_acl_type squid_ldap_match %LOGIN /usr/local/squid/libexec/squid_ldap_match -b "ou=test,dc=jadeb,dc=com" -f "(&(cn=%u)(memberOf=%g))" -h 192.168.254.23 -S -D daniel -w ***
acl ldap_webaccess external squid_ldap_match CN=WebAccess,OU=test,dc=jadeb,dc=com

http_access allow dozeusers ldap_webaccess

*** = hidden for my safety ;)

Thank you for all the help.

-- 
Daniel Barron
(Visit http://dansguardian.org/ - True web content filtering for all)