[squid-users] squid_ldap_group against nested groups/Ous

From: Mike Ely <mikeely_at_amyskitchen.net>
Date: Mon, 24 Nov 2008 13:04:02 -0800

Hi there,

I've tried this a couple of different ways without any success. I have
squid_ldap_group working fine if the user queried is a member of the listed
group, but if I try to pick up the user by reference (putting a group
containing that user within the effective group), it fails. Users are
authenticated via squid_ldap_auth without any trouble.

Here's the use case: acl to prevent unauthorized users from accessing the
web, adding users to specific groups gives them access to specific websites
or the entire Internet. Since we have a few hundred users, adding each one
individually to whichever group they need to be in is not practical.

Right now, it works fine if I put the acl groups in the Users container or
create a top-level OU and put the groups in there, but iff the user is
directly a member of the acl group. What I need to do is be able to use
nested groups. (Sorry, it looks like I've stated this two different ways)

Here's the relevant portion of squid.conf. Our DC is Win2k swerver (for now
at least), proxy box is running squid 2.6 on CentOS, but have repeated the
problem with squid 3.0 on Debian:

Group lookup:

external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group \
-b "dc=example,dc=com" \
-D "cn=lookupuser,cn=Users,dc=example,dc=com" \
-w "password" \
ample,dc=com))" \
-h ldapserver

And one of the ACLs:

acl AllWebAccess external InetGroup allweb
http_access allow AllWebAccess

I'd rather use LDAP for this than winbind for various reasons.

Thanks in advance,
Mike Ely
Received on Mon Nov 24 2008 - 21:04:12 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 25 2008 - 12:00:03 MST