Re: [squid-users] squid_ldap_group authorisation of 2000 AD Groups

OK I've sorted out the parameters to use for squid_ldap_group. I have
this line in squid.conf:

external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b
cn=Users,dc=domain,dc=local -f
"(&(cn=%g)(member=%u)(objectClass=group))" -B
cn=Users,dc=domain,dc=local -F "cn=%s" -D
cn=Oliver,cn=Users,dc=domain,dc=local -w password 192.168.150.100

This brings back OK when I put in users who are in various groups. For
example I am in the Internet group so when I enter "Oliver Internet" it
returns OK. However access through the proxy is now giving me Cache
Denied Request errors:

The following error was encountered:

Cache Access Denied.

Sorry, you are not currently allowed to request:

     http://www.google.com/from this cache until you have authenticated
yourself.

My other acl lines that control access are below:

acl group1 external ldap_group Internet
http_access allow group1

What could be going on, since I am definitely a member of the group that
I am allowing access to?

Regards,
Oliver

Oliver Hookins wrote:
> I'm trying to authorise users of the proxy by determining if they are a
> member of a certain Active Directory group or not. Yes, I've read the
> documentation, FAQ, mailing list archives and man pages but it is still
> confusing to me. The version in question is 2.5STABLE3.
>
> On the 2000 domain controller I have standard users in the Users
> container. The authorised internet users will also be a member of a
> group called Internet. So far I've been using ldapsearch to verify what
> sort of information will be coming out of the LDAP but I find it hard to
> make this correspond to the parameters I'm putting into squid_ldap_group.
>
> For example, here's an ldapsearch line that will give me the Internet
> group back with a list of members:
>
> ldapsearch -x -b cn=Internet,cn=Users,dc=domain,dc=local -D
> cn=Administrator,cn=Users,dc=domain,dc=local -W -h 192.168.150.100
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=Internet,cn=Users,dc=domain,dc=local> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # Internet, Users, domain.local
> dn: CN=Internet,CN=Users,DC=domain,DC=local
> member: CN=Cameron,CN=Users,DC=domain,DC=local
> member: CN=Oliver,CN=Users,DC=domain,DC=local
> cn: Internet
> groupType: -2147483646
> instanceType: 4
> distinguishedName: CN=Internet,CN=Users,DC=domain,DC=local
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=local
> objectClass: top
> objectClass: group
> objectGUID:: I6No/vayb0iE8uD6mxvtzg==
> objectSid:: AQUAAAAAAAUVAAAAPeMITdvrDFCoN9ZlVAYAAA==
> name: Internet
> sAMAccountName: Internet
> sAMAccountType: 268435456
> uSNChanged: 746952
> uSNCreated: 742415
> whenChanged: 20041128224030.0Z
> whenCreated: 20041126041439.0Z
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> How do I turn this into a useful line for squid_ldap_group? I've tried
> the following with no success:
>
> /usr/lib/squid/squid_ldap_group -b cn=Users,dc=domain,dc=local -f
> "(&(name=%g)(member=%u)(objectClass=group))" -D
> cn=Administrator,cn=Users,dc=domain,dc=local 192.168.150.100
>
> Oliver Internet
> ERR
> CN=Oliver,CN=Users,DC=domain,DC=local Internet
> ERR
>
> Also the fact that 2000 doesn't allow you to view what is going on with
> the LDAP queries makes it even harder. Any help will be greatly
> appreciated.
>
> Regards,
> Oliver
>

This communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking any action in reliance on, this communication by persons or entities other than the intended recipient is prohibited. Exhibition IT Services Pty LTD makes no express or implied representation or warranty that this electronic communication or any attachment is free from computer viruses or other defects or conditions which could damage or interfere with the recipients data, hardware or software. This communication and any attachment may have been modified or otherwise interfered with in the course of transmission.
Received on Mon Nov 29 2004 - 21:23:22 MST