Re: [squid-users] squid proxy for W2K active directoty users

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 25 Apr 2003 09:34:00 +0200

The squid_ldap_group manpage is the best source of documentation.

If you look closely at the current helper you will find that the
squid_ldap_group has user related options which corresponds to
similar options of squid_ldap_auth (but different case in some), in
addition to the group related options. By specifying the same values
for these options as specified for the similar options you will make
the helper search for the user in the exact same manner as
squid_ldap_auth before looking up group membership.

This allows the helper to operate with normal LDAP groups having the
users DN in the member attribute, regardless of which user object
attribute you use for the login name,

The %a/%v things are obsolete and replaced by %u/%g (but still work).
These were used by the older helper shipped in 2.5.STABLE1. See the
squid_ldap_group documentation shipped in 2.5.STABLE1 for
specification of %a/%v.

Regards
Henrik

On Friday 25 April 2003 06.05, joel wrote:
> Thank you very much for your answer, I appreciate it so much, but I
> still have a doubt
>
> I want log the user using the userPrincipalName (i.e.
> user@domain.com), but in the member field of the group I only have
> de users cn. I have tried using the -u attr and nothing happens, I
> saw one email where you mentioned the parameters %v and %a but I
> haven't found any documentation about it. Please, could you tell me
> where I can found this documentation? I only have found the man
> pages that bring the installation and some emails in the discussion
> list, but there is not any documentation about this in the
> www.squid-cache.org site.
>
> For example, browsing the Active Directory LDAP for user Joel
> Gonzalez..
>
> Expanding base 'CN=Joel Gonzalez,OU=users,DC=domain,DC=cu'...
> Result <0>: (null)
> Matched DNs:
>
> Getting 1 entries:
> >> Dn: CN=Joel Gonzalez,OU=users,DC=domain,DC=cu
>
> 8> memberOf: CN=Proxy-Users,OU=Groups,DC=domain,DC=cu;
> ....
> 1> userPrincipalName: joel@domain.cu;
> ....
>
> and then if I browse the Proxy-Users group ...
>
> Expanding base 'CN=Proxy-Users,OU=Groups,DC=domain,DC=cu'...
> Result <0>: (null)
> Matched DNs:
>
> Getting 1 entries:
> >> Dn: CN=Proxy-Users,OU=Groups,DC=domain,DC=cu
>
> 8> member: CN=Joel Gonzalez,OU=users,DC=domain,DC=cu;
> ...........
> 1> cn: Proxy-Users;
>
> Thank you very much for your help,
>
> Best Regards,
>
> Joel Gonzalez
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Thursday, April 24, 2003 8:42 PM
> To: joel@cbcan.cyt.cu
> Subject: Re: [squid-users] squid proxy for W2K active directoty
> users
>
> On Thursday 24 April 2003 18.48, joel wrote:
> > Hi,
> >
> > I've configured squid-2.5.stable2 to use ldap to authenticate
> > users from an Active Directory. It's working fine but I have a
> > little problem, the users have to enter the Display Name (as
> > called in Active Directory) instead of their account name. The
> > problem is in the interaction of squid_ldap_auth and
> > squid_ldap_group because when I use only the squid_ldap_auth, I
> > can change the filter and use other attributes like
> > userPrincipalName or sAMAccountName.
>
> squid_ldap_group from Squid-2.5.STABLE2 or later has the same
> capabilities as squid_ldap_auth when it comes to identifying the
> user by searching for the users DN and then use this DN in the
> group lookup. See the documentation.
>
> This is different from 2.5.STABLE1, where squid_ldap_group was
> limited to only match using the login name entered by the user.
>
> Regards
> Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Fri Apr 25 2003 - 01:37:39 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:15:29 MST