Re: [squid-users] Squid_ldap_auth multiple groups

From: Tim Neto <tneto@dont-contact.us>
Date: Tue, 10 Aug 2004 07:56:28 -0400

Question regarding this thread.

    Why not use "squid_ldap_group"?

Here where I work, I use "squid_ldap_auth" for individual user
authentication. I use "squid_ldap_group" as an external acl type. Like:

    external_acl_type ldap_group %LOGIN /path/squid_ldap_group -h
ldap-host -p ### -P -b o=DN -F "uid=%s" -f
                     
"(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))"

I then create an acl def like:

    acl proxy_groups external ldap_group proxy_subcompany_a
proxy_subcompany_b proxy_subcompany_c proxy_headoffice
or
    acl restricted_groups external ldap_group proxy_subcompany_a
proxy_subcompany_b proxy_subcompany_c proxy_headoffice

Finally a http_access def to use the group control, like:

    http_access allow our_networks proxy_groups

If you use "squid_ldap_auth" for group control, then why was
"squid_ldap_group" created?

Tim

-----------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer Komatsu Canada Limited
 Ph#: 905-625-6292 x265 1725B Sismet Road
 Fax: 905-625-6348 Mississauga, Canada
 E-Mail: tneto@komatsu.ca L4W 1P9
-----------------------------------------------------------

Henrik Nordstrom wrote:

> On Tue, 10 Aug 2004, Stefan Thomas wrote:
>
>> /usr/local/squid/libexec/squid_ldap_auth -b "" -D "cn=name,o=name" -w
>> passwd -h ip-adr -f
>> (&(&(cn=%s)(objectClass=person))(groupMembership=cn=Internet,ou=name,ou=
>> name,o=name))
>>
>> This works very well. No I have a new challenge to solve. I want to
>> check is the authorised user in the group "internet" OR "marketing" OR
>> "normal" OR ...
>>
>> He should be in one !! of these groups, not in all !
>
>
> See RFC2254
>
> & is AND
> | is OR
>
> (&(cn=%s)(objectClass=person)(|(groupMembership=cn=Internet,ou=name,ou=name,o=name)(groupMembership=cn=Marketing,ou...)(groupMembership=cn=Normal,ou..)(...)))
>
>
>
> But personally I would make the setup as follows
>
> 1. One single group which determines if the user should at all be
> allowed to use the Internet, if not all users should be allowed. This
> is optional.
>
> 2. A number of groups verified by squid_ldap_group for giving
> different levels of access to the Internet.
>
> Regards
> Henrik
>
Received on Tue Aug 10 2004 - 05:56:32 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT