[squid-users] squid_ldap_group troubles

From: Sergey A. Kobzar <ksa@dont-contact.us>
Date: Tue, 1 May 2007 14:09:14 +0300

Hello guys,

I'd like use LDAP groups to setup access right for users.

Current configuration:

===

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth \
  -b "ou=Users,dc=home" -v 3 localhost
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

external_acl_type ldap_group %LOGIN /usr/local/libexec/squid/squid_ldap_group \
  -b "ou=Groups,dc=home" -f "(&(memberUid=%u)(cn=%g))" -v 3 localhost \
  -D "cn=Guest,ou=DSA,dc=home" -w xxx

[skipped]

acl CONNECT method CONNECT
acl ldap_unlim external ldap_group squid-unlim

[skipped]

http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow ldap_unlim
http_access deny all

===

LDAP group:

$ ldapsearch -LLL -s sub -b "ou=Groups,dc=home" -D "cn=Guest,ou=DSA,dc=home" -w xxx "(&(memberUid=sak)(cn=squid-unlim))"
dn: cn=squid-unlim,ou=Groups,dc=home
objectClass: top
objectClass: posixGroup
cn: squid-unlim
gidNumber: 2001
memberUid: sak

squid_ldap_group looks working:

# /usr/local/libexec/squid/squid_ldap_group -h 127.0.0.1 -b "ou=Groups,dc=home" -f "(&(memberUid=%u)(cn=%g))" -D "cn=Guest,ou=DSA,dc=home" -w xxx -v 3 -d
sak squid-unlim
Connected OK
group filter '(&(memberUid=sak)(cn=squid-unlim))', searchbase 'ou=Groups,dc=home'
OK

but when I try access Internet site, I get:

The following error was encountered:

Access Denied.
Access control configuration prevents your request from being allowed
at this time. Please contact your service provider if you feel this is
incorrect.

In slapd.log:

May 1 14:00:28 pixel slapd[744]: conn=255 fd=21 ACCEPT from IP=127.0.0.1:51366 (IP=127.0.0.1:389)
May 1 14:00:28 pixel slapd[744]: conn=255 op=0 BIND dn="uid=sak,ou=Users,dc=home" method=128
May 1 14:00:28 pixel slapd[744]: conn=255 op=0 BIND dn="uid=sak,ou=Users,dc=home" mech=SIMPLE ssf=0
May 1 14:00:28 pixel slapd[744]: conn=255 op=0 RESULT tag=97 err=0 text=
May 1 14:00:28 pixel slapd[744]: conn=255 op=1 UNBIND
May 1 14:00:28 pixel slapd[744]: conn=255 fd=21 closed
May 1 14:00:28 pixel slapd[744]: conn=256 fd=21 ACCEPT from IP=127.0.0.1:50849 (IP=127.0.0.1:389)
May 1 14:00:28 pixel slapd[744]: conn=256 op=0 SRCH base="ou=Groups,dc=home" scope=2 deref=0 filter="(&(memberUid=sak)(cn=squid-unlim))"
May 1 14:00:28 pixel slapd[744]: conn=256 op=0 SRCH attr=1.1
May 1 14:00:28 pixel slapd[744]: conn=256 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
May 1 14:00:28 pixel slapd[744]: conn=256 op=1 UNBIND
May 1 14:00:28 pixel slapd[744]: conn=256 fd=21 closed

# squid -v
Squid Cache: Version 2.6.STABLE12

Where am I wrong?

Thanks for any help.

-- 
Best regards,
 Sergey                          mailto:ksa@uaic.net
Received on Tue May 01 2007 - 05:09:13 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT