On Tue, 2006-08-01 at 17:46 +0200, Janco van der Merwe wrote:
> Under auth_param
> auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=dunns,dc=co,dc=za" -w "ldappassword" -f sAMAccountName=%s -h (IP of DC)
>
> Under External ACL
> external_acl_type internetusergroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=dunns,dc=co,dc=za" -w "ldappassword" -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=internetusers,OU=Dunns Groups,OU=Dunns,dc=dunns,dc=co,dc=za))" -h (IP of DC)
I would modify it like this:
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=dunns,dc=co,dc=za" -w "ldappassword" -f "(&(objectclass=person)(sAMAccountName=%s))" -h (IP of DC)
external_acl_type internetusergroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=dunns,dc=co,dc=za" -w "ldappassword" -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,OU=Dunns Groups,OU=Dunns,dc=dunns,dc=co,dc=za))" -h (IP of DC)
i.e. have the ObjectClass=person in the squid_ldap_auth filter to make
sure logins is only possible to person objects, and use the %g for the
group name in squid_ldap_group to allow the group name to be specified
via the acl (as you also had done...)
acl internetgroup external usergroup internetusers
the ldappassword acl is not needed, unless you also have http_access
rules which should apply to all authenticated users no matter if they
are member of the internetusers group or not.
Regards
Henrik
Received on Tue Aug 01 2006 - 10:08:32 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Sep 01 2006 - 12:00:01 MDT