Re: [squid-users] RE: ldap group

From: Christoph Haas <email@dont-contact.us>
Date: Fri, 9 May 2003 13:28:21 +0200

Hi, Henrik et al...

On Fri, May 09, 2003 at 03:32:37AM +0200, Henrik Nordstrom wrote:
> The new version is designed for matching normal LDAP group
> memberships. With the new you can locate the user DN by any
> attribute, and then match this to groups by the member attribute or
> any other attrubute of choice, [...]

There is a last issue left although this may be more a limitation of LDAP
than a flaw in squid_ldap_group. If I got you right these two steps are
run:

Step 1:
        Search for the DN of the user with a given CN.
        (cn=hnordstr => dn=cn=hnordstr,ou=people,ou=proxy,o=org)

Step 2:
        Search for the group where the user's DN is a member of.

At least the user object can be located anywhere in the tree. That's
great. However I do not seem to able to search for a distinguished group
like 'dn=cn=proxy-porn,ou=groups,ou=proxy,o=org' because (and this is my
point) an LDAP search for a group by the complete DN does not work.

I can search (in step 2) for any group which matches 'cn=proxy-porn'.
But imagine that we have a huge directory. Then any admin would be able
to insert a group "proxy-porn" anywhere in the tree and then get
permissions.

What I would like to have is something like:

squid_ldap_group -b o=org -F '(&(objectclass=person)(cn=%s))'
-f '(&(objectclass=groupofnames)(member=%u)(dn=cn=%g,ou=groups,ou=proxy,o=org)'
-D ... -w ... -h ...

In common words: make sure the user is in a group below
ou=groups,ou=proxy,o=org. Unfortunately the (dn=cn=%d,ou=groups,...)
does not work. It looks like LDAP cannot search for the "dn" attribute.

It only works when I use
... -f '(&(objectclass=groupofnames)(member=%u)(cn=%g))' ...

Please bear with me if this is an LDAP thingy. We have already worked
out a solution based on the "groupMembership" property which Novell
NetWare uses. However I would like to know a more general solution for
use with other LDAP directories like OpenLDAP which does not know the
groupMembership attribute.

I hope I made myself a bit clear. LDAP issues are a little tricky.

 Christoph 

-- 
~
~
".signature" [Modified] 3 lines --100%--                3,41         All
Received on Fri May 09 2003 - 05:28:27 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:29 MST