Andreas Bittner wrote :
>Henrik Nordstrom wrote:
>
>
>>squid_ldap_group checks if the user is member of a given group by
>>searching for the membership in the LDAP directory.
>>
>>
>
>i think this step is my problem. how do i tell the squid_ldap_group the
>group it should actually check the HTTP-AUTHenticated user against?
>
>
>
>> DN: CN=SomeGroup, OU=Engineering, DC=company, DC=com
>> CN: Some Group
>> objectClass: groupOfNames
>> member: CN=Some User, OU=Engineering, DC=company, DC=com
>> member: CN=Another User, OU=Engineering, DC=company, DC=com
>>
>>
>
>ok, so for the example on the page
><http://workaround.org/moin/SquidLdap> i have created the ldif:
>
>DN: CN=googleallowed, OU=Proxygroups, DC=company
>CN: googleallowed
>objectClass: groupOfNames
>member: CN=Tim, OU=IT-Services, DC=company
>member: CN=Tina, OU=Management, DC=company
>
>is this correct? so when i first try to surf the web, my browser comes
>up with a username/password http-authentication window. if i enter
>Tim/Timspassword there, the the squid_ldap_group should check in the
>LDAP-Database if Tim belongs to a certain group.
>
>But how do i tell the program which group i want?
>
>
>
As a parameter of the ACL :
external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
acl group1 external ldap_group Group1
acl group2 external ldap_group Group2
With this declaration, the first argument passed to the helper is the
LOGIN and the second is the Group to match. This is what the helper is
waiting for.
Then, %v in the example of Henrik will be replaced by the %LOGIN value
and the %a will be replaced by the group given in the ACL declaration.
>what does the %a parameter mean in here exactly, or rather where does it
>come from and with what does it get filled?
>
>
>
>>external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b o=Company
>> -f (&(objectclass=person)(cn=%v)(groupMembership=cn=%a,ou=Proxygroups,o=Company))
>> -D cn=Tim,ou=IT-Services,o=Company -w timspassword -h ldapserver
>>
>>
>
>the %LOGIN is the username "Tim" which i enter in my browser, also the
>parameter %v, but how does it select the actual group where i want to
>check if "CN=Tim, OU=IT-Services, DC=company" actually is a member?
>
>I have to submit the groupname "googlegroups" somehow, but i am missing
>this step....
>
>or does the acl line:
>
>
>
This is the query search after the "-f" which must link the Login and
the Group (RFC 2254).
>>acl ldapgroup-googleallowed external ldapgroup googleallowed
>>
>>
>
>does this very checking against the groupd "googleallowed"? since it's
>using ldapgroup which again derives from external_acl_typ ldapgroup
>%LOGIN....
>
>
>
See above.
>Thanks already.
>Regards.
>
>
Regards.
Ghislain Garçon
Received on Tue Nov 15 2005 - 00:34:40 MST
This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:09 MST