HI,
At 11.18 03/11/2004, Henrik Nordstrom wrote:
>On Wed, 3 Nov 2004 sc379@interfree.it wrote:
>
>>auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b
>>"ou=utenti,dc=advnet,dc=it" -u "CN" -f
>>"(&(CN=internetOK)(objectClass=group)(member=cn=%u))" -d -v 3 -h
>>"192.168.150.1:389" -D "CN=superadmin,CN=users,DC=advnet,DC=it" -w "pass"
>
>to squid_ldap_auth you MUST specify a filter looking for Person objects.
>
>I would recommend you to explore your LDAP directory a little using
>ldapsearch or a LDAP browser of your choice. Things really do get a little
>easier if you know what the filters are supposed to look for..
>
>
>user search filters (-f to squid_ldap_auth, and consequently -F to
>squid_ldap_auth) looks for the person object.
>
>group search filters (-f to squid_ldap_group) usually looks for a matching
>group object. The job of squid_ldap_group is only to determine "is this
>login name member of groups X"
>
>>I think the string is wrong, and I try with this -f search options:
>>
>>-f
>>(&(CN=%u)(objectClass=person)(memberOf=CN=internetOK,OU=utenti,DC=advnet,DC=it))
>>-f (&(CN=%g)(objectClass=internetOk)(member=CN=%u))
>
>The first looks fine for squid_ldap_auth
>
>The second is incorrect in both the object class and member parts.
>
>>You said me to write this:
>>
>>-f (&(CN=%g)(objectClass=groupOfPeople)(member=%u))
>
>to squid_ldap_group yes, in combination with -F (capital F) having the
>exact same argument as you had to -f of squid_ldap_auth. But please verify
>the objectClass of the group objects in your directory.
>
>>I try to test a external helper squid_ldap_group from dos command line,
>>but it doesn't work...
>
>It does work from command line. This helper expects
>
>username groupname
>
>as input.
>
>Regards
>Henrik
Some words about LDAP support on Windows:
Squid_ldap_auth and Squid_ldap_group was developed and tested using
OpenLDAP on *nix platforms. On Windows 2000 and later the support for LDAP
is native and seems to be compatible with LDAP standards. But during the
helper's port I have found that Microsoft LDAP implementation is slightly
different between Windows 2000 and Windows XP/2003, for example TLS support
is not available on W2K.
I have made some basic testing on both helpers and they seems to work
(better on Windows 2003), but I'm not totally sure that they works on
Windows 2000 exactly in the same manner as using OpenLDAP on *nix.
Henrik: it's possible to identify a standard "test bed" for LDAP helpers to
test if they are working as expected ? This could be very useful with any
other LDAP implementation like Netscape/Sun LDAP.
Regards
Guido
-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Wed Nov 03 2004 - 13:20:35 MST
This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST