Re: [squid-users] unable to do access control using squid_ldap_group

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 29 Apr 2004 00:37:35 +0200 (CEST)

On Wed, 28 Apr 2004, Sureen L wrote:

> dn: cn=Mur,cn=Users,dc=mydomain,dc=com
> cn: Mur
> uid: mur
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> userPassword: {SHA}dmMt8K4+dyKZqGTt90RZD4k=

> dn: cn=zen, cn=WebAccess,cn=Users,dc=mydomain,dc=com
> cn: zen
> uid: zen
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> userPassword: {SHA}3dmMt8K4+dyKZqGTt90RZD4k=

>
> The tree struture of the above ldif file is
>
> |--dc=com
> |--dc=mydomain
> |--cn=Manager
> |--cn=Users
> |--cn=Mur
> |--cn=WebAccess
> |--cn=zen

> I authenticated all the users who present both in Users and also in
> WebAccess Group, since user Mur is present inside the "User" he needs to
> have access only to certain set of web sites and the user zen who is
> present inside "WebAccess" can access all web sites. To do this access
> control I did a group authentication and tried using the following
> options in squid_ldap_group
>
> external_acl_type ldap_group %LOGIN
> /usr/local/squid/libexec/squid_ldap_group -s sub -b
> "cn=WebAccess,dc=mydomain,dc=com" -h localhost -f
> "(cn=%a)"

Your ldif says zen is in "cn=WebAccess,cn=Users,dc=mydomain,dc=com" so he
will also be matched by the above unless you set the search scope to
"one".

I think you will find life a lot easier if you define your users in one
single location in the tree and then use groups to give different users
different permissions. This is after all what the group objects
(groupOfUniqueNames) is intended for in LDAP.

But if your users are truly of different class and have no relation to
each other, and no user will need to change status without having his
account completely recreated then using ou:s is also fine, but it becomes
a bit more difficult to use squid_ldap_group then as this is designed for
group objects, not tree location matching.

Regards
Henrik
Received on Wed Apr 28 2004 - 16:37:37 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:03 MDT