Re: [squid-users] squid_ldap_group with novell ldap

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 20 Feb 2005 15:52:29 +0100 (CET)

On Sat, 12 Feb 2005, Adrian Malaguti wrote:

> They are using squid_ldap_auth and squid_ldap_group modules.
> It seems to be a problem with group membership attributes, the valiu for
> member attribute returned by both ldap servers are different.
> When querying to openldap it returns:

> # g_http_internet, poderjudicial, gub, uy
> dn: cn=g_http_internet, dc=poderjudicial,dc=gub,dc=uy
> objectClass: groupOfNames
> objectClass: top
> "member: cn=csomma"

This is not a correct member of a groupOfNames.. the member should be the
full DN of the member user, not just the CN.

> But when querying to eDir LDAP it returns:
> # g_http_internet, poderjudicial
> dn: cn=g_http_internet,o=poderjudicial
> objectClass: groupOfNames
> objectClass: Top
> "member: cn=csomma,ou=divTec,ou=dgsa,ou=scj,o=poderjudicial"

Looks good.

> This is the current configuration with openldap (which works fine), but
> doesn't work with eDir LDAP.
> #external_acl_type ldap_group_helper %LOGIN
> /usr/local/squid/libexec/squid_ldap_group -d -b
> "dc=poderjudicial,dc=gub,dc=uy" -B "dc=poderjudicial,dc=gub,dc=uy" -
> h localhost -f "(&(objectclass=groupOfNames)(cn=%a)(member=cn=%u))"

You need to use the -F flag to tell squid_ldap_group how to find the user
from the login name. Same as teh -f flag to squid_ldap_auth.

Note that the -f flag needs to be changed somewhat by removing any DN
components from the member attribute match (memeber=%u instead of
member=cn=%u).

For clarity I would recomment using %g instead of %a. Especially
considering you are already using %u for the user.. (initial version of
squid_ldap_group used %a/%v, current versions uses %g/%u but also supports
the older codes..)

Regards
Henrik
Received on Sun Feb 20 2005 - 07:52:31 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST