RE: [squid-users] ldap

From: Tomas Palfi <tpalfi@dont-contact.us>
Date: Thu, 20 Mar 2003 13:14:45 -0000

to henrick and all,

i'm getting the realm authentication dialog box in the browser, however, everyone is denied. when trying to authenticate with username+passwd my name isn't in the logs, when using my username only my name appears in the logs. what's the problem please?

auth_param basic program /data/test/libexec/squid_ldap_auth
-b ou='Focus Group',ou='Retail Users',ou=Sales,dc=proton,o=phoenix,c=co,c=uk
-f(&(uid=%s)(objectClass=organizationalPerson)) -h ldapserver

external_acl_type access %LOGIN /data/test/libexec/squid_ldap_group
-b ou='Focus Group',ou='Retail Users',ou=Sales,dc=proton,o=phoenix,c=co,c=uk
-f (&(cn=%g)(member=%u)(objectClass=groupOfNames))
-F(&(uid=%s)(objectClass=organizationalPerson)) -h ldapserver

acl Access external access Access-Test
http_access allow Access
http_access deny all

thank you for all your help
tomas

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: 18 March 2003 21:43
To: Tomas Palfi
Cc: Squid Mailing Group (E-mail)
Subject: Re: [squid-users] ldap

Tomas Palfi wrote:

> ./squid_ldap_auth -u cn -b ou="Focus Group",ou="Retail Users",ou=Sales,dc=proton,dc=phoenix,dc=co,dc=uk ldapserver
>
> this works fine even with the nested ou's within the parent director

Good, but I must say your base DN looks a bit odd to me...

> however, it doesn't check for any valid groups!!

It should not. squid_ldap_auth does not care about groups.

> external_acl_type access %LOGIN /data/test/libexec/squid_ldap_group -b ou='Focus Group',ou='Retail Users',ou=Sales,dc=proton,dc=phoenix,dc=co,dc=uk -f (&(cn=%g)(member=%u)(objectClass=groupOfNames)) -F
> (&(uid=%s)(objectClass=organizationalPerson)) -h ldapserver

Hmm.. this does not match your squid_ldap_auth line above. In your
suqid_ldap_auth line you are using cn as login name, but here you are
using uid. The two cannot ever match.

Regards
Henrik

________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________

________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
Received on Thu Mar 20 2003 - 06:15:19 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:11 MST