Re: [squid-users] Squid_ldap_group

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 02 Apr 2003 01:46:03 +0200

Craig Home wrote:
>
> Hi,
>
> I have been trying to use squid_ldap_match with Active directory with not
> much success, I have built everything but just can't see to get the
> parameters correct.
>
> I am also unsure whether I just have to use the match, or also do an
> ldap_auth on the user beforehand - if you can clarify whether this is
> required - thanks.

%LOGIN in external_acl_type uses your auth_param settings for
authentication to determine the login name before the login can be sent
to the external acl helper.. so you need both helpers but only one acl.

> I am trying to match up a group which is situated in:
>
> cn=INTERNETUSERS,cn=Users

What is your squid_ldap_auth parameters? With current squid_ldap_match
(or _group) helpers there is a direct relation between squid_ldap_auth
and squid_ldap_match arguments..

> The Base dn = dc=top,dc=sy,dc=turvy
>
> Ok,
>
> So I am trying to match the group with squid_ldap_match with Squid 2.5
> stable2 compiled from source with openldap on Redhat 7.3 (fully patched)
>
> (Standalone)
>
> squid_ldap_match -b "dc=top,dc=sy,dc=turvy" -f "(%(cn=%u)(cn=%g))" -h
> 193.116.22.122 -p 389

This filter does not look right. The same LDAP object cannot have two cn
values.. The first should be member=%u I think. The filter should also
specify the type of object to look for (objectClass=groupOfNames)

> in the squid.conf file
>
> external_acl_type ldap_group %LOGIN /path/to/squid_ldap_match
> -b "dc=top,dc=sy,dc=turvy" -f "(%(cn=%u)(cn=%g))" -h 193.116.22.122 -p 389
>
> acl firstrule external ldap_group INTERNETUSERS
>
> I am particular interested in any debug options you can specify to further
> debug whether I have the filter options correctly. How would I test these
> filters out in relation to active directory as I don't know whether the %u
> or %g are returning the correct values?

There is an undocumented debug parameter to squid_ldap_match..

 -d 1

will enable debug output of the constructed search filters etc.

> Can I capture what is sent to STDIN so I can look at the returned results?

Not easily, but it is trivial to test the helper manually. It expects
plain lines with just

user group

One peculartiy to keep in mind with AD is that depending on your
security settings you may need to specify a "dummy" user to bind as
while performing the searches. Not all AD installations allow anonymous
LDAP searches within the directory.For security reasons this dummy user
should have least possible privileges, just barely enought to be allowed
to search the LDAP directory.

Experimenting a little with ldapsearch to get familiar with how your
LDAP server operates is recommended. Once you get the hang of
ldapsearch, translating the knowledge to squid_ldap_match (or
squid_ldap_group which is another name for the same helper) is trivial.

Regards
Henrik
Received on Tue Apr 01 2003 - 16:46:30 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:35 MST