AW: [squid-users] squid_ldap_group authentication against Active Directory
What manual? man 8 squid_ldap_group? Greetings Christoph -Originalnachricht- Von: Henrik Nordstrom An: Keppner, Christoph Cc: '[EMAIL PROTECTED]' Gesendet: 19.12.2003 02:45 Betreff: Re: [squid-users] squid_ldap_group authentication against Active Directory On Thu, 18 Dec 2003, Keppner, Christoph wrote: I know so far, that squid_ldap_group is the right program, but how do i use it? In a mail from Henrik Nordstrom, there was this description: squid_ldap_group is used via the external_acl_type directive. See the manual (yes there is a manual for squid_ldap_group). 0. Optionally bind (login) as a dummy user (by DN) if anonymous searches is disallowed in the directory (-D+-W arguments) 1. Search for the user in the directory (-F argument with the same data as -f to squid_ldap_auth) 2. Search for the group in the directory and verify that the user is member of the group (-f argument). How must the -f argument looks like?!? The manual has some good hints on this. The purpose of the -f argument to squid_ldap_group is similar to the purpose of the -f argument to squid_ldap_auth but looking for a matching group rather than a matching user. Usually this looks like -f ((cn=%g)(member=%u)(objectClass=groupOfNames)) asking the helper to search for a groupOfNames with the group name as cn and the user DN as member. Should probably make this the default when -F is specified. The user DN is looked up by the -F argument in the same manner as the -f argument to squid_ldap_auth. Regards Henrik
Re: AW: [squid-users] squid_ldap_group authentication against Active Directory
On Fri, 19 Dec 2003, Keppner, Christoph wrote: What manual? man 8 squid_ldap_group? Yes. Regards Henrik
[squid-users] squid_ldap_group authentication against Active Directory
Hi, i'm trying to restrict access to my squid cache to users of a special group ProxyUsers in Active Directory. I have Debian Testing (Sarge) with squid-2.5Stable4 installed. First i tried with the ldap_auth command: /usr/lib/squid/ldap_auth -b dc=dhc-gmbh,dc=com -R -D [EMAIL PROTECTED] -w SeCrEt -f sAMAccountName=%s myW2KServer In this way, when i enter username password lines, i get OK or ERR, and everything is fine. The problem: every valid user with a valid password has access to the cache. I read many mailings on this list (and some other too), but i didn't find a good hint. I know so far, that squid_ldap_group is the right program, but how do i use it? In a mail from Henrik Nordstrom, there was this description: 0. Optionally bind (login) as a dummy user (by DN) if anonymous searches is disallowed in the directory (-D+-W arguments) 1. Search for the user in the directory (-F argument with the same data as -f to squid_ldap_auth) 2. Search for the group in the directory and verify that the user is member of the group (-f argument). How must the -f argument looks like?!? In some mails, people talk about some examples, that are shipped with squid and work fine with Active Directory, but i can't find them. I'm not very familiar with ldap searchstrings so can somebody give me a hint, how the FULL command looks? Greetings Christoph
Re: [squid-users] squid_ldap_group authentication against Active Directory
On Thu, 18 Dec 2003, Keppner, Christoph wrote: I know so far, that squid_ldap_group is the right program, but how do i use it? In a mail from Henrik Nordstrom, there was this description: squid_ldap_group is used via the external_acl_type directive. See the manual (yes there is a manual for squid_ldap_group). 0. Optionally bind (login) as a dummy user (by DN) if anonymous searches is disallowed in the directory (-D+-W arguments) 1. Search for the user in the directory (-F argument with the same data as -f to squid_ldap_auth) 2. Search for the group in the directory and verify that the user is member of the group (-f argument). How must the -f argument looks like?!? The manual has some good hints on this. The purpose of the -f argument to squid_ldap_group is similar to the purpose of the -f argument to squid_ldap_auth but looking for a matching group rather than a matching user. Usually this looks like -f ((cn=%g)(member=%u)(objectClass=groupOfNames)) asking the helper to search for a groupOfNames with the group name as cn and the user DN as member. Should probably make this the default when -F is specified. The user DN is looked up by the -F argument in the same manner as the -f argument to squid_ldap_auth. Regards Henrik