Re: [squid-users] Help Please : NT Domain name stripping in squid_ldap_group from Erwann PENCREACH on 2009-07-10 (squid-users)

From: Erwann PENCREACH <erwann.pencreach_at_ch-chaumont.fr>
Date: Fri, 10 Jul 2009 13:38:22 +0200

Hi,

there is no access rule below

You need at least one to grant or deny access

for instance this is one of mine :

####
external_acl_type loggeduser %DST %SRC /squid_script_path/loggeduser_acl.sh

acl isok external loggeduser

http_access allow isok
###

where /squid_script_path/loggeduser_acl.sh
get uid of the user logged on %SRC (ask samba to tell), check acces type
to the internet defined in a ldap directory

then return OK or KO depending on the url and the effective rights

Clayton York a �crit :
> Hi All,
>
>
> I am a newbie to Linux and squid and require some assistance please.
>
> I am running a server on CENTOS release 5.2 (Final), and have configured squid (2.6.STABLE21-3) for ldap group authentication with Active Directory.
> I have seen in the man page for the squid_ldap_group there is an -S option to strip the NT domain name from the username. I have added the -S to our squid.conf file, squid_ldap_group section however this does not seem to strip the domain name as from the access.log file I can see that squid still passes the domain\username through to AD which then fails.
>
> Please find my squid authentication configuration below.
>
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=domnet,dc=bbd,dc=co,dc=za" -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f sAMAccountName=%s -h 10.3.1.216
> auth_param basic children 5
> auth_param basic realm Your Organisation Name
> auth_param basic credentialsttl 1 hour
>
>
> external_acl_type InetGroup ttl=60 %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "dc=domnet,dc=bbd,dc=co,dc=za" -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,ou=SquidUsers,dc=bbdnet,dc=bbd,dc=co,dc=za))" -S -h 10.3.1.216
>
>
> acl InetAccess external InetGroup SquidUsersAllow
>
>
> Please if anyone has any insight into what I might be missing please let me know.
>
>
> Thank you,
>
> Clayton York
> --
> Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour.
> Contactez votre administrateur pour plus de renseignement.
> postmaster_at_ch-chaumont.fr

-- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmaster_at_ch-chaumont.fr

text/x-vcard attachment: erwann_pencreach.vcf

Received on Fri Jul 10 2009 - 11:38:36 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 10 2009 - 12:00:02 MDT