RE: AW: AW: AW: [squid-users] squid_ldap_group authentication aga inst Act ive Directory

From: Keppner, Christoph <keppner@dont-contact.us>
Date: Sat, 20 Dec 2003 21:34:14 +0100

Still not working...

is there maybe a problem with the order of the acls? I don't think so
because if i remove Mitarbeiter from the line http_access, access is granted
to all users with valid password...

when i search with ldapsearch and filter (objectClass=groupOfNames), nothing
is returned. Is there a possibility to test squid_ldap_group from the
commandline? Or can i somehow print the values of %g, %u or %s?

Regards
Christoph

P.S. Here is a snip of my squid.conf:
.
.
.
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b
dc=dhc-gmbh,dc=com -D keppner@dhc-gmbh.com -w SeCrEt -f
"(&(cn=%g)(member=%u)(objectClass=groupOfNames))" -F "(sAMAccountName=%s)"
-h 192.168.38.10 -p 389
.
.
.
acl dhc src 192.168.38.0/255.255.255.0
# only Members of group 'Mitarbeiter' may access internet
acl Mitarbeiter external ldap_group Mitarbeiter
acl password proxy_auth REQUIRED
.
.
.
# Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
# Deny requests to unknown ports
http_access deny purge
# Deny CONNECT to other than SSL ports
http_access deny !Safe_ports
#
# We strongly recommend to uncomment the following to protect innocent
# web applications running on the proxy server who think that the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

http_access allow password dhc Mitarbeiter

# Exampe rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
http_access deny CONNECT !SSL_ports

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Saturday, December 20, 2003 8:38 PM
To: Keppner, Christoph
Cc: 'squid-users@squid-cache.org'
Subject: RE: AW: AW: AW: [squid-users] squid_ldap_group authentication
aga inst Act ive Directory

On Sat, 20 Dec 2003, Keppner, Christoph wrote:

> This is my squid_ldap_group - command in squid.conf
>
> external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b
> dc=dhc-gmbh,dc=com -D keppner@dhc-gmbh.com -w SeCrEt -f
> "(&(cn=Mitarbeiter)(member=uid=%u)) -F (sAMAccountName=%s) -h
192.168.42.10
> -p 389

The -f argument should be
  -f "(&(cn=%g)(member=%u)(objectClass=groupOfNames))"

The username has already been expanded into a full DN by the -F filter,
and you want to be able to reuse the same external_acl_type for different
group matches via the acl directive..

Regards
Henrik
Received on Sat Dec 20 2003 - 13:34:18 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:18 MST