Re: [squid-users] RE: ldap group from Henrik Nordstrom on 2003-05-09 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 09 May 2003 14:26:27 +0200

fre 2003-05-09 klockan 13.28 skrev Christoph Haas:

> At least the user object can be located anywhere in the tree. That's
> great. However I do not seem to able to search for a distinguished group
> like 'dn=cn=proxy-porn,ou=groups,ou=proxy,o=org' because (and this is my
> point) an LDAP search for a group by the complete DN does not work.

The helper is not designed for using explicit group DN names, but only
simple group names.

Depending on your LDAP server you might be able to search based on the
virtual "dn" attribute if you want to specify group names by full DN,
but most do not support searches on the DN attribute.

Adding an option to squid_ldap_group telling it that the supplied group
names are full DNs is not very hard.

Another option is to have your groups structured in a limited part of
your LDAP tree, and specify this as base dn for squid_ldap_group. This
is probably preferred.

> In common words: make sure the user is in a group below
> ou=groups,ou=proxy,o=org. Unfortunately the (dn=cn=%d,ou=groups,...)
> does not work. It looks like LDAP cannot search for the "dn" attribute.

This you do by specifying a base dn of "ou=groups,ou=proxy,o=org" to
squid_ldap_group. This way it will not look outside
ou=groups,ou=proxy,o=org.

The base DN to an LDAP application can be anything below your directory
root dn, and any searches performed will only match objects below the
specified base dn (including the base dn itself). The root dn should
only be used if you want searches to cover the whole directory.

This is why squid_ldap_group have two different base dn configuration
options. One specifies the base dn for user searches, the other for
group searches.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com

Received on Fri May 09 2003 - 06:26:36 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:29 MST