[squid-users] Squid_ldap_group

From: Homberger Peter <Peter.Homberger@dont-contact.us>
Date: Thu, 6 Mar 2003 11:02:31 +0100

Dear Squid Users

I have some problems configuring authentication of ldap users.
The idea behind my configuration is that only users in a existing LDAP Group
will be authenticated sucessfully.

In this example it's my own user with the login ID phom.

What's wrong in my config, because the user will not be authenticated.

Squid access.log:
1046945867.315 287 10.1.15.238 TCP_DENIED/407 1805

My LDAP Group:

# Security-Group, security, nextiraone, ch
dn: cn=Security-Group,ou=security,o=nextiraone,c=ch
objectClass: groupOfNames
objectClass: groupOfUniqueNames
cn: Security-Group
member: cn=FW1-Template,o=nextiraone,c=ch
member: cn=Homberger Peter,ou=security,o=nextiraone,c=ch
uniqueMember: uid=phom,ou=security,o=nextiraone,c=ch

My User:

# Homberger Peter, security, nextiraone, ch
dn: cn=Homberger Peter,ou=security,o=nextiraone,c=ch
objectClass: person
objectClass: uidObject
objectClass: organizationalPerson
cn: Homberger Peter
sn: Homberger
uid: phom
userPassword: **********

My squid.conf

auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -u uid -b
ou=security,o=nextiraone,c=ch
auth_param basic children 5
auth_param basic realm "Authentication for Internet Access is required!
Please note that all traffic should me monitored for statistic purposes!"
auth_param basic credentialsttl 2 hours

external_acl_type ldap_group %LOGIN
/usr/local/squid/libexec/squid_ldap_group -b "ou=security,o=nextiraone,c=ch"
-f '(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))'

acl group_Internet external ldap_group Security-Group
http_access allow group_Internet
http_access deny all

Mit freundlichen Grüssen
 
With kind regards
 
Peter Homberger
 
NextiraOne Schweiz GmbH
Peter Homberger
Consultant Security / NMS
Industriestasse 30, CH-8203 Kloten
Tel: +41 1 815 32 65
Fax: +41 1 813 53 24
 
mailto:peter.homberger@nextiraone.ch
http://www.nextiraone.ch
Received on Thu Mar 06 2003 - 03:02:49 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:57 MST