Re: [squid-users] trying to understand squid_ldap_group from Andreas Bittner on 2005-11-14 (squid-users)

From: Andreas Bittner <abittner@dont-contact.us>
Date: Mon, 14 Nov 2005 21:06:06 +0100

Henrik Nordstrom wrote:
> squid_ldap_group checks if the user is member of a given group by
> searching for the membership in the LDAP directory.

i think this step is my problem. how do i tell the squid_ldap_group the
group it should actually check the HTTP-AUTHenticated user against?

> DN: CN=SomeGroup, OU=Engineering, DC=company, DC=com
> CN: Some Group
> objectClass: groupOfNames
> member: CN=Some User, OU=Engineering, DC=company, DC=com
> member: CN=Another User, OU=Engineering, DC=company, DC=com

ok, so for the example on the page
<http://workaround.org/moin/SquidLdap> i have created the ldif:

DN: CN=googleallowed, OU=Proxygroups, DC=company
CN: googleallowed
objectClass: groupOfNames
member: CN=Tim, OU=IT-Services, DC=company
member: CN=Tina, OU=Management, DC=company

is this correct? so when i first try to surf the web, my browser comes
up with a username/password http-authentication window. if i enter
Tim/Timspassword there, the the squid_ldap_group should check in the
LDAP-Database if Tim belongs to a certain group.

But how do i tell the program which group i want?

what does the %a parameter mean in here exactly, or rather where does it
come from and with what does it get filled?

> external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b o=Company
> -f (&(objectclass=person)(cn=%v)(groupMembership=cn=%a,ou=Proxygroups,o=Company))
> -D cn=Tim,ou=IT-Services,o=Company -w timspassword -h ldapserver

the %LOGIN is the username "Tim" which i enter in my browser, also the
parameter %v, but how does it select the actual group where i want to
check if "CN=Tim, OU=IT-Services, DC=company" actually is a member?

I have to submit the groupname "googlegroups" somehow, but i am missing
this step....

or does the acl line:

> acl ldapgroup-googleallowed external ldapgroup googleallowed

does this very checking against the groupd "googleallowed"? since it's
using ldapgroup which again derives from external_acl_typ ldapgroup
%LOGIN....

Thanks already.
Regards.
Received on Mon Nov 14 2005 - 13:06:21 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:09 MST