Re: [squid-users] RE: ldap group

On Thursday 08 May 2003 15.51, Pedro Alte wrote:
> The base DN is already the lowest : dc=domain,dc=com.
> My filter is "(&(cn=%g)(member=cn=%u))", and the authentication
> only works if I change it to
> "(&(cn=%g)(member=cn=%u,ou=firstou,ou=secondou,dc=domain,dc=com))".
> It seems that squid needs to know the members' exact location,
> which I want to avoid, since I have users located in many different
> OU's.

I would recommend using the dual search mode where squid_ldap_group
first searches for the user DN, and then searches for group
memberships.

Alternatively you can use a wildcard search like
"(&(cn=%g)(member=cn=%u,*))"

The reason to this is quite clear if you take a closer look at a LDAP
group object. A typical LDAP group object looks like:

CN=NameOfGroup,OU=Some_OU,dc=domain,dc=com
cn: NameOfGroup
objectClass: groupOfNames
member: cn=SomeUser,ou=Some_OU,dc=comain,dc=com
member: cn=AnotherUser,ou=SomeOther_OU,dc=comain,dc=com
member: ...
member: ...
member: ...
member: ...

Yourfilter has to match the data in the object. Just plain
"member=cn=SomeUser" won't match this object as there is no member
attribute with the value "cn=SomeUser", only
"cn=SomeUser,OU=Some_OU,dc=domain,dc=com"

In the dual search mode the helper first searches for the user as
squid_ldap_auth does, and then uses the DN of the found user object
in the group search filter. The group filter then becomes
"(&(objectClass=GroupOfNames)(cn=%g)(member=%u))" which will then
expand into
"(&(objectClass=GroupOfNames)(cn=NameOfgroup)(member=cn=SomeUser,ou=Some_OU,dc=domain,dc=com))"
when the %g and %u are filled in.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com