Re: [squid-users] Problem with squid_ldap_auth

From: Tim Neto <tneto@dont-contact.us>
Date: Mon, 12 Jul 2004 09:53:06 -0400

Hi,

Wouldn't a group LDAP check be required using squid_ldap_group?

Add some config lines like:

     external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group
-h server -p 389 -P -b o=domain -F "uid=%s" -f
"(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))"

     acl proxy_group external ldap_group proxy

     http_access allow allowed_networks proxy_group

Something like this in addition to user authentication is what is
working here at KCL.

Tim

----------------------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer Komatsu Canada Limited
 Ph#: 905-625-6292 x265 1725B Sismet Road
 Fax: 905-625-6348 Mississauga, Ontario, Canada
 E-Mail: tneto@komatsu.ca L4W 1P9
----------------------------------------------------------------------

Martijn Moret wrote:

>>Hi,
>>
>>I have a problem with squid_ldap_auth.
>>I use it to authorize against M$-AD, no problems so far.
>>I all works with the following:
>>auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b
>>"OU=Gebruikers,DC=domain,DC=org" -s sub -D
>>"cn=administrator,ou=beheer,dc=domain,dc=org" -w "password" -h server -p
>>389 -v 3 -f sAMAccountName=%s
>>
>>Now I also want to check if the user is a member of a AD group, so I did
>>the following:
>>auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b
>>"OU=Gebruikers,DC=domain,DC=org" -s sub -D
>>"cn=administrator,ou=beheer,dc=domain,dc=org" -w "password" -h server -f
>>"(&(sAMAccountName=%s)(memberOf=CN=Internet-Users,OU=Gebruikers
>>Groepen,OU=Gebruikers,DC=domain,DC=org))"
>>
>>This works great from the command line: a user who is a member get's OK
>>and if you are not a member it shows ERR. This is what I want.
>>I just can't get it to work from within squid. In the cache.log the
>>following line appears when authenticating:
>>squid_ldap_auth: WARNING, LDAP search error 'Bad search filter'
>>
>>I'm using squid/2.5.STABLE4 on solaris 9.
>>
>>Any help??
>>
>>Regards
>>Martijn
>>
>>
>>
>I solved the problem by creating a wrapper around the squid_ldap_auth as
>the space in the OU "Gebruikers Groepen" will not parse (IMHO).
>The entry in squid.conf is now as followes:
>auth_param basic program /usr/local/squid/libexec/wrapper_ldap_auth.sh
>
>And the wrapper itself:
>#!/usr/bin/ksh
>/usr/local/squid/libexec/squid_ldap_auth -b
>"OU=Gebruikers,DC=domain,DC=org" -s sub -D
>"cn=administrator,ou=beheer,dc=domain,dc=org" -w "password" -h server -f
>"(&(sAMAccountName=%s)(memberOf=CN=Internet-Users,OU=Gebruikers
>Groepen,OU=Gebruikers,DC=domain,DC=org))"
>
>I know you should check for a member in a group instead of a group in a
>member,
>but in AD the CN is mapped as a member en we use the sAMAccountName...
>
>Greetz
>Martijn
>
>
>
>
>
Received on Mon Jul 12 2004 - 07:53:31 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:01 MDT