Re: [squid-users] Help Please : NT Domain name stripping in squid_ldap_group

From: Chris Robertson <crobertson_at_gci.net>
Date: Fri, 10 Jul 2009 11:13:05 -0800

Clayton York wrote:
> Hi All,
>
>
> I am a newbie to Linux and squid and require some assistance please.
>
> I am running a server on CENTOS release 5.2 (Final), and have configured squid (2.6.STABLE21-3) for ldap group authentication with Active Directory.
> I have seen in the man page for the squid_ldap_group there is an -S option to strip the NT domain name from the username. I have added the -S to our squid.conf file, squid_ldap_group section however this does not seem to strip the domain name as from the access.log file I can see that squid still passes the domain\username through to AD which then fails.
>
> Please find my squid authentication configuration below.
>
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=domnet,dc=bbd,dc=co,dc=za" -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f sAMAccountName=%s -h 10.3.1.216
> auth_param basic children 5
> auth_param basic realm Your Organisation Name
> auth_param basic credentialsttl 1 hour
>
>
> external_acl_type InetGroup ttl=60 %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "dc=domnet,dc=bbd,dc=co,dc=za" -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,ou=SquidUsers,dc=bbdnet,dc=bbd,dc=co,dc=za))" -S -h 10.3.1.216
>

You are using %v and %a in the search filter, but the man page reads...

      -f filter
              LDAP search filter used to search the LDAP directory
for any
              matching group memberships. In the filter %u will be
replaced
              by the user name (or DN if the -F or -u options are used)
and %g
              by the requested group name.

>
> acl InetAccess external InetGroup SquidUsersAllow
>
>
> Please if anyone has any insight into what I might be missing please let me know.
>
>
> Thank you,
>
> Clayton York
>

Chris
Received on Fri Jul 10 2009 - 19:13:21 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 15 2009 - 12:00:03 MDT