Re: [squid-users] squid_ldap_group problem

From: <lists@dont-contact.us>
Date: Sun, 04 Apr 2004 18:04:58 +0200

first: thanks, now it works as expected.

there is only one "problem" left. when i change a ldap group and the user
reauthenticats imediateli the old state is kept. when i reload squid the
new state is used imediately. i think that because of some kind of caching
of the credential. i's not a real problem, as i know what to do to "work it
around". as i think, that caching the credentials is a good feature to
reduce ldap traffic, i'm any way curious for how long they are cached an if
i chan change the timeout.

--On Sunday, April 04, 2004 02:02:03 +0200 Henrik Nordstrom
<hno@squid-cache.org> wrote:

| On Sat, 3 Apr 2004 lists@mhcsoftware.de wrote:
|
| > the relevant parts of my squid.conf look like this:
| >
| > ----
| > auth_param basic program /usr/lib/squid/ldap_auth -b
| > ou=people,dc=mhcsoftware,dc=de localhost
| > auth_param basic children 5
| > auth_param basic realm Squid proxy-caching web server
| > auth_param basic credentialsttl 2 hours
|
| Needed. This defines authentication.

ok, so i was right. :-)

| > external_acl_type ldap %LOGIN /usr/lib/squid/squid_ldap_group
| > -b "ou=groups,dc=mhcsoftware,dc=de"
| > -f "(&(memberUid=%v)(cn=%a)(objectClass=posixGroup))"
| > -B "ou=people,dc=mhcsoftware,dc=de"
| > -F "(uid=%s)"
|
| Needed. This defines how Squid is to evaluate LDAP group based
| authorization (not authentication). But the arguments does not match your
| squid_ldap_auth.
|
| As you are not using a user filter in squid_ldap_auth you should not do
| so in squid_ldap_group either.. just make the exact group membership
| filter matchign groups where the login name is member. Most likely you
| should just drop the user filter (and basedn) arguments here but it
| depends on what your group objects look like. I would recommend playing
| a little with ldapsearch.
|
| Note: You are using a very old and obsolete group filter syntax. The
| current versions of the squid_ldap_group helper uses %g and %u for group
| and user respectively (but still understands the older %a %v codes).

done - it now looks like this:

external_acl_type ldap %LOGIN /usr/lib/squid/squid_ldap_group
-b "ou=groups,dc=mhcsoftware,dc=de"
-f "(&(memberUid=%u)(cn=%g)(objectClass=posixGroup))"

and it works as expected !!

| > acl ldapauth proxy_auth REQUIRED
|
| This is only needed if you really want to base access controls on "all
| authenticated users".

thats what i want

| > acl ldapGauth external ldap squid
|
| Normally this one is sufficient when using LDAP groups..

i will test this, but at my first test no u/p windows poped up at the
browser with only that acl. but i can't remember if i alreaday activated
ldap_auth at that time.

| > http_access allow ldapGauth
|
| Ok.
|
| > this seems to work, as i can do a correspoing ldapsearch without any
| > problem. then it tries the goup lookup:
| >
| > Apr 3 15:50:30 server slapd[20926]: conn=32 op=1 SRCH
| > base="ou=groups,dc=mhcsoftware,dc=de" scope=2
| > filter="(&(memberUid=uid=test,ou=people,dc=mhcsoftware,dc=de)(cn=squid)
| > (obj ectClass=posixGroup))"
| >
| > and i think thats the problem. when i try this as a ldapsearch i get no
| > result. but when i seach for:
| >
| > (&(memberUid=test)(cn=squid)(objectClass=posixGroup))
|
| Ok, so you are not using normal LDAP groups but instead another form of
| groups stored within LDAP... See above for the solution.

well, as i'm new to ldap i'm using <http://lam.sf.net/> and thats the way
it creates groups. don't know why. i guess, "normal" LDAP group member
entries look like this:

memberUid=uid=test,ou=people,dc=mhcsoftware,dc=de

and NOt olny like this:

memberUid=test

right ? and perhaps thats the better way, because with that users are
identified with a (more or less) unique pattern. in larger environments
"my" (better lam's) notification may be ambigous. i think, i start to
understand ldap ...

| > i get the expected result. well and that filter is what i would expect
| > when i look at my "squid_ldap_group" commandline. i do not understand
| > why it users "memberUid=uid=test,ou=people,dc=mhcsoftware,dc=de" in
| > sead of whats configured on the command line: "memberUid=test"
|
| This is done because you told squid_ldap_group to expand the login name
| into the users DN via the group filter argument. See the squid_ldap_group
| manual.

ah, i see ....

-f filter
    LDAP search filter used to search the LDAP directory for any matching
group memberships. Inthefilter%uwillbereplacedbytheuser loginname(or DN if
the -F or -u options are used) and %g by the requested group name.

best regards and again: THANKS !! 

-- 
Matthias Henze                matthias@mhcsoftware.de
Use PGP!! http://www.mhcsoftware.de/MatthiasHenze.asc
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
MHC SoftWare GmbH          voice: +49-(0)9533-92006-0
Fichtera 17                  fax: +49-(0)9533-92006-6
96274 Itzgrund/Germany    e-Mail: info@mhcsoftware.de
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Received on Sun Apr 04 2004 - 03:04:43 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:01 MDT