[squid-users] Question about ldap_group external acl setting

From: Bunpot Thanaboonsombut <bunpotth@dont-contact.us>
Date: Wed, 23 Nov 2005 14:31:32 +0700

Hi all,

I have a question about configuring ldap_group external acl. I want to
grant access to Squid based on user groups in Active Directory.

** The problem is when users authenticate, user will gain incorrect
credential which not based on their group in LDAP. Users will be
received credential from the first line of access control list which
is "Admin" as explain below.

Detailed Explaination:
================

My Active Directory schema is structured as follows

ou=Accounts,dc=abc,dc=com

Under ou=Account, there are 3 user groups as follows:
1. ou=Admin,ou=Accounts,dc=abc,dc=com
2. ou=Accounting,ou=Accounts,dc=abc,dc=com
3. ou=Marketing,ou=Accounts,dc=abc,dc=com

I want to distinguish the users based on their OU which are
Admin,Account and Marketing. To accomphish this, I set up
squid_ldap_auth and squid_ldap_group to authenticate and authorize the
users from Active Directory.

(1) I use squid_ldap_auth helper to authenticate the users and it
works fine. Following line is setting for squid_ldap_auth helper.

auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b
"dc=abc,dc=com" -D "cn=squid,ou=Admin,ou=Accounts,dc=abc,dc=com" -w
password -f "(&(userPrincipalName=%s)(objectClass=person))" 10.0.0.5

(2) However, when users are authenticated successfully, they will be
got a wrong credential. Squid will recognize all users as Admin group
which is the first line of acl.
Following lines are my setting for ldap_group external acl.

external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b
"ou=Accounts,dc=abc,dc=com" -D
"cn=squid,ou=Admin,ou=Accounts,dc=abc,dc=com" -w password -f
"(&(ou=%g)(objectClass=organizationalUnit))" 10.0.0.5

acl Admin external ldap_group Admin
acl Accounting external ldap_group Accounting
acl Marketing external ldap_group Marketing

I think ldap_group setting is incorrect but cannot figure it out.
Please give me a clue because I cannot find which one is incorrect.

Best Regards,
Bunpot T.
Received on Wed Nov 23 2005 - 00:31:37 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:10 MST