On Tue, 2 Nov 2004 sc379@interfree.it wrote:
> external_acl_type ldap_group %LOGIN /Squid/libexec/squid_ldap_group.exe
> -u CN -b "OU=utenti,DC=bdcnet,DC=it" -d -f
> "(&(CN=%u)(objectClass=person)((memberOf=cn=internetOKnavigare,OU=utenti,DC=bdcnet,DC=it)))"
> -h 192.168.1.1:389
This looks a little odd.. normally one uses a search filter looking for
the group object where the user is member, not the person object having
the group as membership attribute.
In addition you should be using a %g at a suitable position in the filter
for the group name..
If continuing doing the lookup on the person object the filter should be
something like the following:
"(&(CN=%u)(objectClass=person)(memberOf=cn=%g,OU=utenti,DC=bdcnet,DC=it))"
Or you could do it the LDAP way and look for a group object having the
user as member. You then specify the exact same filter as used in
squid_ldap_auth to the -F option of squid_ldap_group, and a suitable group
filter to -f
"(&(CN=%g)(objectClass=groupOfPeople)(member=%u))"
(%u in the group search filter -f translates to the users DN, not the
login name when using the -F option)
Regards
Henrik
Received on Tue Nov 02 2004 - 07:40:39 MST
This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST