On Wed, 15 Dec 2010 14:06:59 +0100, François Bastien wrote:
> So, in the end i'll be using Amos settings so i can manage only one
group :
>
> http_access allow ldapgroup-unrestricted
> http_access deny work_unrelated !acl_lunchbreak_time
> http_access allow authenticated
> http_access deny all
>
> I'm currently at the next step : debugging.... And i found something
> quite interesting :
>
> aclMatchExternal: ldapgroup("domain%5Cuser unrestricted") = lookup
needed
> aclMatchAclList: no match, returning 0
> externalAclLookup: lookup in 'ldapgroup' for 'domain%5Cuser
unrestricted'
> externalAclHandleReply: reply="ERR"
>
> So it seems that the username given to the squid_ldap_group helper is
> wrong because of the "%5C".
> Maybe i should strip the domain\ from the username ?
Aha. The line fields are URL-encoded according to RFC 1738 specs. The
helper is supposed to decode. You can drop the domain for a workaround, but
there may be users with special letters or punctuation in their names which
hit this as well (ie the "c" in your first name).
Amos
Received on Wed Dec 15 2010 - 21:36:40 MST
This archive was generated by hypermail 2.2.0 : Thu Dec 16 2010 - 12:00:03 MST