Re: [squid-users] Using squid_ldap_group

On Monday 01 September 2003 22.26, Fernando Maior wrote:

> I am using a number of files and other hacking in
> order to have those goals accomplished, because
> the Conectiva Linux 9 do not provide a Squid rpm
> with squid_ldap_group compiled into.

You could just compile squid_ldap_group separately if you need it..

> --FOR LDAP_AUTH--
> auth_param basic program /usr/lib/squid/squid_ldap_auth -h
> ldap.intranet.dasa -b "ou=Users,o=DASA" -f
> "(&(internetAccess=enabled)(uid=%s))"

> --FOR LDAP_GROUP--
> external_acl_type LdapGroup %LOGIN /usr/lib/squid/squid_ldap_group
> -b ou=Groups,o=DASA -f (&(cn=%a)(memberUid=%v))

> I already have groups UL1..8 created on ou=Groups,o=DASA, and
> my test users are placed in the memberUid correctly. Also,
> I proceeded with tests in command line using squid_ldap_group
> until I became confident using it. From my point of view,
> ldapsearch is running as expected and squid_ldap_group the
> same.

If you have verified squid_ldap_group operation from the command line
then it should work fine from within Squid. There is no reason not to
and I see no error in your squid.conf lines.

Verify that the squid.conf line matches what you used when testing
from the command line.

Also, what input data did you use when testing from the command line?
I never remember which one was which of %a and %v and if you needed
to use "group<space>login<newline>" from the command line instead of
the correct "user<space>group<newline>" then the two have been
exchanged. It is better to use the %g and %u codes of the current
helper as then their meaning is more obvious..

> Question:
> What are the parameters squid passes to squid_ldap_group?

The command line parameters are defined in the external_acl_type
command line after the program.

The input data is the format fields before the command line, followed
by any data from the acl line.

> acl Level1 external LdapGroup UL1
>
> will squid pass UL1 as the second parameter (group) to
> squid_ldap_group?

Yes.

> If I have six groups (UL1 thru UL6) is it correct to
> use the acl below to identify which group one pertains to?
>
> acl Level1 external LdapGroup UL1
> acl Level1 external LdapGroup UL2

Not sure if the above will work. Not tested.

acl Level1 external LdapGroup UL1 UL2 UL3 ...

should work unless you have very many groups, but it is preferable if
you can create a single group in the LDAP directory.

> How can I control (is it possible?) the number of
> squid_ldap_group helper processes started automatically
> by squid?

See the external_acl_type documentation in squid.conf.default. How to
do this differs between Squid-2.5 and Squid-3.

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com