Re: [squid-users] RE: ldap group

From: Christoph Haas <email@dont-contact.us>
Date: Fri, 9 May 2003 18:45:15 +0200

On Fri, May 09, 2003 at 02:26:27PM +0200, Henrik Nordstrom wrote:
> The helper is not designed for using explicit group DN names, but only
> simple group names.

No excuses... :)

> Another option is to have your groups structured in a limited part of
> your LDAP tree, and specify this as base dn for squid_ldap_group. This
> is probably preferred.

Admitted. We are using this method. This is a more plain approach.

By the way... we have just wasted half a day for another stupid problem
which you may find amusing. ;) We were used to writing apostrophe
characters around the filter condition like:

/usr/lib/squid/ldap_auth -b o=org -h novell1 -D ... -w ...
        -f '(&(objectclass=person)(cn=%s)'

This works well on the command line. But we had a hard time when we just
copy/pasted this into the squid.conf:

auth_param basic program /usr/lib/squid/ldap_auth -b o=org -h novell1
        -D ... -w ... -f '(&(objectclass=person)(cn=%s)'

Although from the command line it worked perfectly it always failed in
squid. The solution was simple and many won't find it worth complaining
about. Just remove the apostrophes like this:

auth_param basic program /usr/lib/squid/ldap_auth -b o=org -h novell1
        -D ... -w ... -f (&(objectclass=person)(cn=%s)

My explanation: the shell (bash in my case) obviously needs them.
Otherwise it would try to expand the braces and the ampersand. However
squid does not seem to to start a shell but rather call the command
directly. From a few more lines of debug output in put into the
ldap_squid_auth.c I could see that apostrophes are added to the
beginning and end of the filter query string anyway. So we found the
filter condition to become ''(&(...)'' and that failed.

Please correct me if I'm telling wrong. If there are more stupid people
like us it would make sense to check for double-quotes or apostrophes in
the search string.

> Donations welcome if you consider my Free Squid support helpful.

I will try to convince my boss to think about that or at least try to
help you with patches. :)

 Christoph 

-- 
~
~
".signature" [Modified] 3 lines --100%--                3,41         All
Received on Fri May 09 2003 - 10:45:19 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:30 MST