On 7/08/2012 12:07 a.m., Eugene M. Zheganin wrote:
> Hi.
>
> On 06.08.2012 16:48, Markus Moeller wrote:
>> Hi Eugene,
>>
>> How would a squid_group_ldap line look like ? From where would
>> the group name come from ? I could try to add this feature.
>>
>
> That would be awesome.
>
> squid_group_ldap is expecting to see the username along with the group
> name to check the membership in on it's stdin. It looks the same way
> your helper works, just with a group name. In the same time, in a
> config file you could describe the group directly, or supply a
> filename which contains the group name (I prefer a filename, for
> example).
>
> My squid.conf prior to using squid_kerb_ldap helper used to look like:
>
> ===Cut===
> external_acl_type ldap_group ttl=60 negative_ttl=60
> children=40 %LOGIN \
> /usr/local/libexec/squid/squid_ldap_group \
> -b cn=Users,dc=norma,dc=com \
> -f
> "(&(cn=%g)(member=%u)(objectClass=group))" \
> -F "sAMAccountname=%s" \
> -D
> cn=dca,cn=Users,dc=norma,dc=com \
> -W
> /usr/local/etc/squid/ad.passwd -h hq-gc.norma.com -v 3 -p 389
>
>
> acl ad-internet-users external ldap_group
> "/usr/local/etc/squid/ad-internet-users.acl"
To clarify: when the squid.conf "acl blah external" line contains a
value, or set of values, or file full of values - like above - after the
helper label. The values are sent as additional space-delimited "words"
appended to the external_acl_type format.
What the above defines is stdin line to the helper which looks like:
<login> <group1> <group2> ...
Markus: you can see an example in the LDAP_group helper code. Look for
rfc1738_unescape(group) in the main while loop.
Amos
Received on Mon Aug 06 2012 - 13:03:18 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 07 2012 - 12:00:01 MDT