Re: [squid-users] Problem with squid_ldap_auth

From: Martijn Moret <martijn@dont-contact.us>
Date: Mon, 12 Jul 2004 15:38:49 +0200 (CEST)

> Hi,
>
> I have a problem with squid_ldap_auth.
> I use it to authorize against M$-AD, no problems so far.
> I all works with the following:
> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b
> "OU=Gebruikers,DC=domain,DC=org" -s sub -D
> "cn=administrator,ou=beheer,dc=domain,dc=org" -w "password" -h server -p
> 389 -v 3 -f sAMAccountName=%s
>
> Now I also want to check if the user is a member of a AD group, so I did
> the following:
> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b
> "OU=Gebruikers,DC=domain,DC=org" -s sub -D
> "cn=administrator,ou=beheer,dc=domain,dc=org" -w "password" -h server -f
> "(&(sAMAccountName=%s)(memberOf=CN=Internet-Users,OU=Gebruikers
> Groepen,OU=Gebruikers,DC=domain,DC=org))"
>
> This works great from the command line: a user who is a member get's OK
> and if you are not a member it shows ERR. This is what I want.
> I just can't get it to work from within squid. In the cache.log the
> following line appears when authenticating:
> squid_ldap_auth: WARNING, LDAP search error 'Bad search filter'
>
> I'm using squid/2.5.STABLE4 on solaris 9.
>
> Any help??
>
> Regards
> Martijn
>
I solved the problem by creating a wrapper around the squid_ldap_auth as
the space in the OU "Gebruikers Groepen" will not parse (IMHO).
The entry in squid.conf is now as followes:
auth_param basic program /usr/local/squid/libexec/wrapper_ldap_auth.sh

And the wrapper itself:
#!/usr/bin/ksh
/usr/local/squid/libexec/squid_ldap_auth -b
"OU=Gebruikers,DC=domain,DC=org" -s sub -D
"cn=administrator,ou=beheer,dc=domain,dc=org" -w "password" -h server -f
"(&(sAMAccountName=%s)(memberOf=CN=Internet-Users,OU=Gebruikers
Groepen,OU=Gebruikers,DC=domain,DC=org))"

I know you should check for a member in a group instead of a group in a
member,
but in AD the CN is mapped as a member en we use the sAMAccountName...

Greetz
Martijn
Received on Mon Jul 12 2004 - 07:38:51 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:01 MDT