Re: [squid-users] Authentification against DominoNotes LDAP from Henrik Nordstrom on 2003-04-04 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 04 Apr 2003 12:17:04 +0200

fre 2003-04-04 klockan 10.03 skrev Stefan.Vogel@temic.com:
> Hello,
>
> when I try this Syntax with the squid_ldap_goup-Helper, I get ERR
>
> proxytest:/usr/local/squid/libexec # ./squid_ldap_group -b "o=cag" -f "
> (&(cn=%g)(objectClass=groupOfNames)(member=%u))" -F "(&(uid
> =%s)(objectClass=Person))" -d 1 172.25.0.19
> vogels CAS_NU_Internetuser
> Connected OK
> user filter (&(uid=vogels)(objectClass=Person))
> filter
> (&(cn=CAS_NU_Internetuser)(objectClass=groupOfNames)(member=CN=Stefan
> Vogel,OU=nu,OU=eu,OU=au,O=cag))
> ERR
>
> when using this two filters with the LDAPSEARCH on my LDAP-Server
> (DominoNotes 5.11) each filter works:
>
> D:\Lotus\Domino>ldapsearch -h 172.25.0.19 -p 389 "
> (&(cn=CAS_NU_Internetuser)(objectClass=groupOfNames)(member=CN=Stefan
> Vogel,OU=nu,OU=eu,OU=au,O=cag))"
> CN=CAS_NU_Internetuser
> cn=CAS_NU_Internetuser

This looks odd.. the first row returned by ldapsearch is the DN
(Distinguished Name) of the object, but in your case the group does not
seem to have a complete DN indicating where the object belongs in your
LDAP tree, only the last component with the leaf name is shown. See the
user object below for how it should look like..

If this is really true and the group object is names just
"CN=CAS_NU_Internetuser" and not
"CN=CAS_NU_Internetuser,OU=nu,OU=eu,OU=au,O=cag" or something else
belonging to your organisation this object won't be found by the filter
as it is not located below your specified base DN, and is very wrong
from an LDAP perspective. If you want to have your LDAP tree in such odd
manner then try specifying a blank base dn, but I cannot promise this
will work...

> D:\Lotus\Domino>ldapsearch -h 172.25.0.19 -p 389 "
> (&(uid=vogels)(objectClass=Person))"
> CN=Stefan Vogel,OU=nu,OU=eu,OU=au,O=cag
> cn=Stefan Vogel

This looks like expected. First a correct DN of the user object
indicating exacly where this object belongs in your LDAP tree, followed
by the attribute values in the object.

Regards
Henrik

-- 
Free Squid-users support provided by Henrik Nordström <hno@squid-cache.org>
PayPal donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org&cn=Comment
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com

Received on Fri Apr 04 2003 - 03:17:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:40 MST