Re: [squid-users] How to install squid with ldap from Henrik Nordstrom on 2006-08-10 (squid-users)

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Thu, 10 Aug 2006 22:44:11 +0200

tor 2006-08-10 klockan 13:52 -0300 skrev Alejandro Decchi:
> Anybody know hot to install squid with ldap with all package to
> authenticate by Active directory of windows 2003 server.Because i had a lot
> of problem to install it after to install squid.

There is several guides explaining this, and the examples in the
squid_ldap_auth man page also covers much of it.

What you need to know:

a) Your AD domain name

b) The AD server addresses

c) A server account for the proxy to use when looking up the users,
unless your AD is configured to allow anonymous access (most don't allow
this).

d) The container name where your users are located.

It's absolutely best if you have AD tools which will tell you the LDAP
names of the above things ('c' and 'd') as it is not entirely obvious
how to map the visible AD names to LDAP if you haven't done it before..
When you have the AD names of things plug these into the last example in
the squid_ldap_auth manual.

       If you want to search for the user DN and your directory does not allow
       anonymous searches then you must also use the -D and -w flags to spec-
       ify a user DN and password to log in as to perform the searches, as in
       the following complex Active Directory example

              squid_ldap_auth -P -R -b "dc=your,dc=domain" -D
              "cn=squid,cn=users,dc=your,dc=domain" -w "secretsquidpassword"
              -f "(&(userPrincipalName=%s)(objectClass=Person))" activedirec-
              toryserver

first try this from the command line. If it works then do the same from
squid.conf auth_param basic, and verify the authentication with a
browser.

When authentication works, move to group authorization with
squid_ldap_group. There is at least two different methods to use
squid_ldap_group with AD, either verifying that the user has the group
object as member, or that the group object has the user as member.. (the
two are cross-linked in AD). I don't have any ready example of these,
but the options is pretty much the same as for squid_ldap_auth, except
that what is given as -f to squid_ldap_auth is given as -F to
squid_ldap_group, and -f instead takes a group filter like -f "(&(cn=%
g)(member=%u))"

Regards
Henrik

application/pgp-signature attachment: Detta är en digitalt signerad meddelandedel

Received on Thu Aug 10 2006 - 14:44:17 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Sep 01 2006 - 12:00:02 MDT