[squid-users] squid_ldap_group issue.

From: Hillaert, Todd <THillaert@dont-contact.us>
Date: Thu, 8 Sep 2005 09:25:29 -0500

Hi,

I'm running squid (Squid Cache version 2.5.STABLE10-NT) on a Windows 2003 server. I'm having trouble with the authentication helper program starting properly.
From the command line I can run squid_ldap_group.exe against Active Directory and receive ERR for bad input, and OK for good input, for example:

>C:\squid\libexec\squid_ldap_group.exe -b DC=MyCompany,DC=com -D CN=adquery,OU=MySite,DC=MyCompany,DC=com -w adqpassword -f &(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=users,dc=MyCompany,dc=com)) adserver.mycompany.com
>validUserName badGroup
>ERR
>validUserName ProxyAllowed
>OK

When if copy that working line into the squid.config file as below:

>external_acl_type ldap_group %LOGIN C:\squid\libexec\squid_ldap_group.exe -b DC=MyCompany,DC=com -D CN=adquery,OU=MySite,DC=MyCompany,DC=com -w adpassword -f &(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=users,dc=MyCompany,dc=com)) adserver.mycompany.com

>acl Proxy_Allowed external ldap_group ProxyAllowed
>http_access allow Proxy_Allowed

I see this in my cache.log
--------------------------------------------------------------------------------------------------
2005/09/07 17:30:12| helperOpenServers: Starting 5 'C:\squid\libexec\squid_ldap_group.exe' processes

squid_ldap_group version 2.17-2.5

Usage: squid_ldap_group -b basedn -f filter [options] ldap_server_name

        -b basedn (REQUIRED) base dn under where to search for groups
        -f filter (REQUIRED) group search filter pattern. %v = user,
                                %a = group
        -B basedn (REQUIRED) base dn under where to search for users
        -F filter (REQUIRED) user search filter pattern. %s = login
        -s base|one|sub search scope
        -D binddn DN to bind as to perform searches
        -w bindpasswd password for binddn
        -W secretfile read password for binddn from file secretfile
        -h server LDAP server (defaults to localhost)
        -p port LDAP server port (defaults to 389)
        -P persistent LDAP connection
        -c timeout connect timeout
        -t timelimit search time limit
        -R do not follow referrals
        -a never|always|search|find
                                when to dereference aliases
        -v 2|3 LDAP version
        -Z TLS encrypt the LDAP connection, requires
                                LDAP version 3
        -g first query parameter is base DN extension
                                for this query
        -S Strip NT domain from usernames

        If you need to bind as a user to perform searches then use the
        -D binddn -w bindpasswd or -D binddn -W secretfile options

squid_ldap_group version 2.17-2.5

...same as above 4 more times...
----------------------------------------------------------------------------------------------------

So far I've tried the squid.config file in dos format as well as UNIX format, and I've tried numerous combinations of " and ' around the squid_ldap_group.exe and its parameters.
so far all have the same result, it's like no switches are being passed to squid_ldap_group.exe

any suggestions would be greatly appreciated, thanks in advance for your time.

Todd
Received on Thu Sep 08 2005 - 08:26:02 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT