On Wed, 3 Nov 2004 sc379@interfree.it wrote:
> auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b "ou=utenti,dc=advnet,dc=it" -u "CN" -f "(&(CN=internetOK)(objectClass=group)(member=cn=%u))" -d -v 3 -h "192.168.150.1:389" -D "CN=superadmin,CN=users,DC=advnet,DC=it" -w "pass"
to squid_ldap_auth you MUST specify a filter looking for Person objects.
I would recommend you to explore your LDAP directory a little using
ldapsearch or a LDAP browser of your choice. Things really do get a little
easier if you know what the filters are supposed to look for..
user search filters (-f to squid_ldap_auth, and consequently -F to
squid_ldap_auth) looks for the person object.
group search filters (-f to squid_ldap_group) usually looks for a matching
group object. The job of squid_ldap_group is only to determine "is this
login name member of groups X"
> I think the string is wrong, and I try with this -f search options:
>
> -f (&(CN=%u)(objectClass=person)(memberOf=CN=internetOK,OU=utenti,DC=advnet,DC=it))
> -f (&(CN=%g)(objectClass=internetOk)(member=CN=%u))
The first looks fine for squid_ldap_auth
The second is incorrect in both the object class and member parts.
> You said me to write this:
>
> -f (&(CN=%g)(objectClass=groupOfPeople)(member=%u))
to squid_ldap_group yes, in combination with -F (capital F) having the
exact same argument as you had to -f of squid_ldap_auth. But please verify
the objectClass of the group objects in your directory.
> I try to test a external helper squid_ldap_group from dos command line, but it doesn't work...
It does work from command line. This helper expects
username groupname
as input.
Regards
Henrik
Received on Wed Nov 03 2004 - 03:19:00 MST
This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST