Re: [squid-users] RE: ldap group

On Friday 09 May 2003 01.19, Christoph Haas wrote:

> The dual search mode looks promising. I need to try that myself.
> Took me a while to notice this is an important change from Squid
> 2.5.1 to Squid 2.5.2.

It works much better than the old mode, and has much less
restrictions.

If you can configure suqid_ldap_auth to authenticate the user then you
can now configure squid_ldap_group to match group objects where the
same user is member with virtually no limitations on directory layout
or DN structure.

With the old helper you could
 a) Only match groups if the users login name was part of their DN

 b) Only match users in multiple OUs if your directory supports
wildcard matches in the member attribute

The original helper was basically designed for a LDAP structure just
used as group information storage, listing which login names belongs
to which groups, not for normal LDAP groups. In some cases this was
sufficient for also matching normal LDAP group memberships, but not
always.

The new version is designed for matching normal LDAP group
memberships. With the new you can locate the user DN by any
attribute, and then match this to groups by the member attribute or
any other attrubute of choice, or if you prefer you can still match
based on the raw login name which is most suitable if you are
actually matching attributes stored in the user object and not in a
separate group object.

The drawback is that the helper is starting to be a bit too flexible
with many different possible configurations. Not always obvious what
to use if one has not studied the LDAP structure in detail.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com