Hello
Thank you very much. I thought the initial lack of any response was
because I'd asked such silly questions.
>> Firstly, in the external_acl_type directive, -h hostname defines the
>> Active Directory server to query. Can I specify for redundancy
>> purposes more than one hostname?
>
> Yes.
I did some investigating independently and found that both ldap_auth
and squid_ldap_group seem to accept -H LDAP_URI as well as -h HOSTNAME.
I think its documented in one of the man pages but not the other.
So for both helpers I have -H "ldap://hostA ldap://hostb". Seems to
work. Is this ok, or ought I be using the -h "hostA hostB" format?
>> Lastly, (not strictly a squid question) so far we have around 25
>> users using proxy auth - largely as a testing set - eventual
>> production will deal with about 1500 users. Of those 25, one Active
>> Directory user does not work. Clearly this is an issue within AD for
>> that userid. Has anyone seen or know of any particular quirks in AD
>> userids that stop it working?
>> The credentials, user/pass, are accepted (ie they are not prompted
>> for again as in the case of being incorrect) but won't accept that
>> the user has access by dint of being in the relevant group, even
>> though they certainly are
>
> Then it is time to look into what your AD says via LDAP about this
> users group membership.
>
> The ldap group helper can easily be tested from the command line, and
> if using the -d flag then it is relatively verbose about what kind of
> LDAP questions it makes. The helper expects username SPACE groupname
> NEWLINE as input, and responds with OK/ERR.
Thanks again. For the archive, has been solved, not by using
squid_ldap_group helper, though an excellent suggestion, but by a
simple ldapsearch query for the cn in question. Discovered that a
machine name with the same name as the user not working existed with
AD. Some kind of corruption. Deleted that and its fine now.
regards
rolf.
Received on Thu Dec 09 2004 - 16:50:15 MST
This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST