RE: [squid-users] Squid + MSAD.

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 20 Feb 2004 14:16:40 +0100 (CET)

On Fri, 20 Feb 2004, Ampugnani, Fernando wrote:

> Hi Henrik,
> In squid_ldap_auth the filter as I configure looks like...
>
> -f "(&(sAMAccountName=%u)(object-Class=user))"
>
> is ok?

Almost. You need to use %s for the username in user filters and there is
no - in objectClass.

It is only in group filters to squid_ldap_group that %u is
used for the username.

Other than this it looks ok even if I would use the more general
objectClass=Person.

> How many way of configure it there are? In man page I didn?t find many
> variants of this.

There is as many ways as there is LDAP directories and tastes in how to
organise the LDAP structure.

The main problem is that there is no globally accepted standard on which
LDAP attribute the login name should be stored into.

Microsoft uses sAMAccountName (Pre-2000 login name alone) and
userPrincipalName (ADS login name including ADS domain name).

Most of the rest of the world uses uid.

Some use other attributes.

Some have the login attribute in the DN of the user object to uniquely
identify user objects by their login name. This is quite common the case
when uid is used for the login name, but not always the case.

Some (such as ADS) have the common name in the DN instead of using the
login name.

Personally I prefer having the login name in the DN as this is less likely
to change over time than the human name of the person. Changing the DN of
an existing object is a very complex operation as all references to this
object in all related LDAP directories need to be updated.

Regards
Henrik
Received on Fri Feb 20 2004 - 06:16:44 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST