[squid-users] Antwort: RE: [squid-users] Antwort: RE: [squid-users] Squid LDAP Group authentication

From: Saqib Khan \(horiba/eu\) <saqib.khan@dont-contact.us>
Date: Wed, 6 Sep 2006 15:51:24 +0200




yes,

auth_param basic program /usr/lib/squid_ldap_auth -R -b "dc=test,dc=eu" -D
"cn=test1,cn=Users,dc=test,dc=eu" -w "test" -f sAMAccountName=%s -h
xxx.xxx.xxx.xx

Also the users & the group are under the cn User.

Best Regards,

Saqib Sultan Khan
Network Administrator
Horiba Europe GmbH
Hans-Mess-str. 6
61440 Oberursel

Tel: +49 6172-1396-125
Fax: +49 6172-137385
saqib.khan@horiba.com
|-----------------------------+-------------------------------------------|
| "Janco van der Merwe" | |
| <jvdmerwe@dunns.co.za> | |
| | An|
| 06.09.2006 15:39 | "Saqib|
| | Khan |
| | (horib|
| | a/eu)"|
| | <saqib|
| | .khan@|
| | horiba|
| | .com> |
| | Kopie|
| | "squid|
| | -users|
| | @squid|
| | -cache|
| | .org" |
| | <squid|
| | -users|
| | @squid|
| | -cache|
| | .org> |
| | Thema|
| | RE: |
| | [squid|
| | -users|
| | ] |
| | Antwor|
| | t: RE:|
| | [squid|
| | -users|
| | ] |
| | Squid |
| | LDAP |
| | Group |
| | authen|
| | ticati|
| | on |
| | |
| | |
| | |
| | |
| | |
| | |
|-----------------------------+-------------------------------------------|






Did you edit the auth_param section to use the squid_ldap_group? If you did
send me a copy of your conf file and I will compare it to mine and make the
necessary adjustments.

Also one thing that I noticed when I did it is that the user group should
be under the User cn and not under any OU, for some or other reason it did
not accept the OU's also make sure to specify the correct AD group and that
all the variables are correct.

Janco v.d Merwe
Network Administrator
Dunns Stores (PTY) Ltd
Switchboard: 011 541 3000
Direct: 011 541 3007
Fax: 086 632 1708

-----Original Message-----
From: Saqib Khan (horiba/eu) [mailto:saqib.khan@horiba.com]
Sent: 06 September, 2006 15:09
To: Janco van der Merwe
Cc: squid-users@squid-cache.org
Subject: [squid-users] Antwort: RE: [squid-users] Squid LDAP Group
authentication




No still the same. I still can use any user to access internet. Here is my
conf accoding to your suggestion:-

external_acl_type Internet %LOGIN /usr/lib/squid_ldap_group -R -b
"dc=test,dc=eu" -D "cn=test,cn=Users,dc=test,dc=eu" -w "test" -f "
(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Testgroup,
,OU=Testgroup,OU=Users,dc=test,dc=eu))" -h xxx.xxx.xxx.xxx

acl ldap proxy_auth REQUIRED

acl Localnet external Internet Testgroup

http_access allow ldap Localnet Safe_ports

Best Regards,

Saqib
|-----------------------------+-------------------------------------------|
|   "Janco van der Merwe"     |                                           |
|   <jvdmerwe@dunns.co.za>    |                                           |
|                             |                                         An|
|   06.09.2006 14:19          |                                 "Saqib    |
|                             |                                 Khan      |
|                             |                                 (horiba/eu|
|                             |                                 )"        |
|                             |                                 <saqib.kha|
|                             |                                 n@horiba.c|
|                             |                                 om>,      |
|                             |                                 "squid-use|
|                             |                                 rs@squid-c|
|                             |                                 ache.org" |
|                             |                                 <squid-use|
|                             |                                 rs@squid-c|
|                             |                                 ache.org> |
|                             |                                      Kopie|
|                             |                                           |
|                             |                                      Thema|
|                             |                                 RE:       |
|                             |                                 [squid-use|
|                             |                                 rs] Squid |
|                             |                                 LDAP Group|
|                             |                                 authentica|
|                             |                                 tion      |
|                             |                                           |
|                             |                                           |
|                             |                                           |
|                             |                                           |
|                             |                                           |
|                             |                                           |
|-----------------------------+-------------------------------------------|






Under “TAG: auth_param” section enter the following

auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b
"dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=mydomain,dc=com" -w
"ldappassword" -f sAMAccountName=%s -h xxx.xxx.xxx.xxx

Under “TAG: external_acl_type” section enter the following

external_acl_type internetusergroup %LOGIN /usr/lib/squid/squid_ldap_group
-R -b "dc=mydomain,dc=com" -D "cn=ldapreader,cn=Users,dc=mydomain,dc=com"
-w "ldappassword" -f "(&(objectclass=person)(sAMAccountName
=%v)(memberof=cn=internetusers, ,OU=xxx Groups,OU=xxx,dc=mydomain,dc=com))"
-h xxx.xxx.xxx.xxx



acl ldappassword proxy_auth REQUIRED
acl internetgroup external internetusergroup internetusers

http_access allow ldappassword internetgroup Safe_ports

This works


Janco v.d Merwe
Network Administrator
Dunns Stores (PTY) Ltd
Switchboard: 011 541 3000
Direct: 011 541 3007
Fax: 086 632 1708

-----Original Message-----
From: Saqib Khan (horiba/eu) [mailto:saqib.khan@horiba.com]
Sent: 06 September, 2006 13:47
To: squid-users@squid-cache.org
Subject: [squid-users] Squid LDAP Group authentication



Dear all,

I am having some configuration problems with squid_ldap_group
authentication. I created a Testgroup namely "Testgroup" in AD containing a
test user. But If i use a user which is not a member of that group, i still
can access the internet. Here is my squid configuration:-

Tag:external_ACL
external_acl_type Internet %LOGIN /usr/lib/squid_ldap_group -R -b
"dc=test,dc=com" -D "cn=test,cn=Users,dc=horiba,dc=eu" -w "test1" -f "
(&(objectclass=person)(sAMAccountName=%v)(memberof=cn
=%a,cn=Testgroup,cn=Users,dc=test,dc=com))" -h xxx.xxx.xxx.xxx

Tag:ACL

acl Localnet external Internet Testgroup

Tag:http_access
http_access allow Localnet

Best Regards,

Saqib




____________________________________________________________________________
This communication and any attachments are confidential and intended for
the sole use of the
intended recipient.  Any form of copying or disclosure of this
communication to any third parties
without permission is prohibited.  The contents of this communication and
its attachments are
not intended to be relied upon in law without subsequent written
confirmation.  As such, Dunns
Stores (Pty) Ltd accept no responsibility or liability (including
negligence) for the consequences
of anyone acting, or not acting, on information contained therein.

If you have received this communication in error please notify us
immediately and destroy or
delete it.
____________________________________________________________________________





____________________________________________________________________________
This communication and any attachments are confidential and intended for
the sole use of the
intended recipient.  Any form of copying or disclosure of this
communication to any third parties
without permission is prohibited.  The contents of this communication and
its attachments are
not intended to be relied upon in law without subsequent written
confirmation.  As such, Dunns
Stores (Pty) Ltd accept no responsibility or liability (including
negligence) for the consequences
of anyone acting, or not acting, on information contained therein.

If you have received this communication in error please notify us
immediately and destroy or
delete it.
____________________________________________________________________________



Received on Wed Sep 06 2006 - 07:49:34 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:03 MDT