Re: [squid-users] Squid_ldap_auth with groups

From: Henrik Nordstrom <>
Date: Tue, 24 Feb 2004 09:58:22 +0100 (CET)

On Tue, 24 Feb 2004, Dave Raven wrote:

> I have my ldap auth working with users and all now, and -f
> sAMAccountName=%s works perfect, but I need to also check that the user is a
> member of iNet Users.

This is best done by combining squid_ldap_auth and squid_ldap_group.

> Now my first guess is that maybe its not working
> because I don't have quotes around iNet users - but I can't get it to accept
> them anyway.. Is this the right way to do what I'm trying to?
> /usr/local/libexec/ldap_auth -b OU=Users,OU=******,DC=*****,DC=co,DC=za -h
> -D CN="Proxy User",OU=Users,OU=Phalaborwa,DC=foskor,DC=co,DC=za -w
> proxy2004 -f "(&(sAMAccountName=%s)(memberOf=CN=iNet Users,OU=Groups,OU=*****,DC=****,DC=co,DC=za))"

Looks good to me, but you may want to change password on your Proxy User..

Verify with ldapserach that the memberOf attribute exists and contains
what you expect.

Or use squid_ldap_group and do the lookup in the opposite normal way.
squid_ldap_group looks if the user object is member of the group object,
not if the user object claims to be member of the group object. Using
squid_ldap_group also has the added benefit that you can easily add other
group based permissions later on if so should be required.

Received on Tue Feb 24 2004 - 01:58:31 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST