Re: [squid-users] trying to understand squid_ldap_group

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 14 Nov 2005 17:17:25 +0100 (CET)

On Mon, 14 Nov 2005, Andreas Bittner wrote:

> im trying to figure out how the squid_ldap_auth and squid_ldap_group
> stuff works, and im kinda new to ldap. i like to setup and understand a
> very basic setup.

squid_ldap_auth verifies the users password by trying to log in to the
LDAP directory using the user supplied password.

squid_ldap_group checks if the user is member of a given group by
searching for the membership in the LDAP directory.

> my problem of understanding is basically, if i have a simple company
> (ldap tree) like on that page, with three groups, it-services, sales and
> management, how do i create a group that is allowed to surf the google
> pages. i somehow cant figure out what the ldap tree is going to look
> like then?

Do you need an additional group, or can you construct your criteria based
on the existing groups?

> also do i need to use both the squid_ldap_auth and squid_ldap_group

yes, most likely.

> i dont quite understand what the author of the page means by
> A group is just a list of dinstiguished names

This is an LDAP term.

In LDAP everything (user, group, computer, company, table, spoon, office,
chair, whatever) has a dinstiguished name which identifies the object
within the LDAP tree. Normally groups in LDAP is constructing by listing
the objects which are member of the group by their dinstiguished name.

   DN: CN=SomeGroup, OU=Engineering, DC=company, DC=com
   CN: Some Group
   objectClass: groupOfNames
   member: CN=Some User, OU=Engineering, DC=company, DC=com
   member: CN=Another User, OU=Engineering, DC=company, DC=com

Other ways also exists. LDAP is just an standard on how to access
directory data, not how it should be organized. Another quite common
method is to list the members by their login name, not caring that much
for the LDAP structure of things.

squid_ldap_group requires that the group object lists it's members either
by the login name, or by the corresponding user objects dinstiguished
names.

Regards
Henrik
Received on Mon Nov 14 2005 - 09:17:28 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:09 MST