This is a lot easier with the new version of the LDAP group helper available in the current 2.5.STABLE nightly snapshots or from http://marasystems.com/download/LDAP_Group/
But first you need to decide on what you want to match: a) member attribute of the group objects b) memberOf attribute of the user objects I would recommend matching the member attribute of group objects. Then I'd recommend experimenting a little with the ldapsearch command to get familiar with the LDAP structure and search filters. It is a quite healthy exercise and will make the job of constructing filters for squid_ldap_group a lot easier.. Regards Henrik fre 2003-01-31 klockan 13.16 skrev Daniel Barron: > In message <[EMAIL PROTECTED]> you >wrote: > > > .. you seem to forget one step. Please check your config with the following > > instructions: > > > > > > 1) pure authentication: > > define first:: > > auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b > > ou=sample,o=org -f cn=%s -h 192.168.1.1 > > auth_param basic children 10 > > auth_param basic realm mein super squid proxy > > auth_param basic credentialsttl 2 hours > > then define ACL : > > # > > # ACL for LDAP password check > > # > > acl password proxy_auth REQUIRED > > > > 2) map users to groups: > > define acl type first: > > external_acl_type ldap_group ttl=30 concurrency=10 %LOGIN > > /usr/local/squid/libexec/squid_ldap_group -f > > "(&(cn=%v)(groupmembership=%a))" -b ou=sample,o=org -h 192.168.1.1 > > then define ACLs : > > acl movies external ldap_group cn=movies_group,ou=sample,o=org > > acl sounds external ldap_group cn=sounds_group,ou=sample,o=org > > > .. hope this get`s you running... > > > Hi, thanks for the reply! > > Yes I've got authentication working now but not groups. I wonder if you > mind helping further please? :) > > Here are my settings to get auth to work: > > auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b >"cn=Users,dc=jadeb,dc=com" -u cn -h 192.168.254.23 > acl dozeusers proxy_auth REQUIRED > > This works with the user 'daniel' that I added to the main Users group. > >From an export ldif file the group and user are: > > > dn: CN=daniel,CN=Users,DC=jadeb,DC=com > changetype: add > memberOf: CN=WebAccess,CN=Users,DC=jadeb,DC=com > accountExpires: 9223372036854775807 > badPasswordTime: 126883606504573568 > badPwdCount: 0 > codePage: 0 > cn: daniel > countryCode: 0 > displayName: daniel > givenName: daniel > instanceType: 4 > lastLogoff: 0 > lastLogon: 126883606559552624 > logonCount: 0 > distinguishedName: CN=daniel,CN=Users,DC=jadeb,DC=com > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=jadeb,DC=com > objectClass: user > objectGUID:: 6uPoOsJwRUGJH+TBDQf6Cw== > objectSid:: AQUAAAAAAAUVAAAAkuA8dyPz9mOKpzI/WwQAAA== > primaryGroupID: 513 > pwdLastSet: 126883606012065376 > name: daniel > sAMAccountName: daniel > sAMAccountType: 805306368 > userAccountControl: 512 > userPrincipalName: [EMAIL PROTECTED] > uSNChanged: 5057 > uSNCreated: 5048 > whenChanged: 20030130003641.0Z > whenCreated: 20030129232101.0Z > > > dn: CN=WebAccess,CN=Users,DC=jadeb,DC=com > changetype: add > member: CN=daniel,CN=Users,DC=jadeb,DC=com > cn: WebAccess > groupType: -2147483646 > instanceType: 4 > distinguishedName: CN=WebAccess,CN=Users,DC=jadeb,DC=com > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=jadeb,DC=com > objectClass: group > objectGUID:: wAP1kGfxBUq5wtjtqutb5w== > objectSid:: AQUAAAAAAAUVAAAAkuA8dyPz9mOKpzI/WgQAAA== > name: WebAccess > sAMAccountName: WebAccess > sAMAccountType: 268435456 > uSNChanged: 5126 > uSNCreated: 5034 > whenChanged: 20030130113942.0Z > whenCreated: 20030129170330.0Z > > > So you can see why I needed -b "cn=Users,dc=jadeb,dc=com" in that auth. > > Now I am trying to test the group ldap by hand first as its much quicker than > lots of squid restarts. > > This is what I am using: > > ./libexec/squid_ldap_group -b cn=Users,dc=jadeb,dc=com -f >"(&(cn=%v)(groupmembership=%a))" -h 192.168.254.23 > daniel cn=WebAccess,cn=Users,dc=jadeb,dc=com > ERR > daniel WebAccess > ERR > > ./libexec/squid_ldap_group -b cn=Users,dc=jadeb,dc=com -f "(&(dn=%v)(memberOf=%a))" >-h 192.168.254.23 > daniel cn=WebAccess,cn=Users,dc=jadeb,dc=com > ERR > daniel WebAccess > ERR > > > ./libexec/squid_ldap_group -b cn=Users,dc=jadeb,dc=com -f >"(&(dn=%v)(groupmembership=%a))" -h 192.168.254.23 > daniel cn=WebAccess,cn=Users,dc=jadeb,dc=com > ERR > daniel WebAccess > ERR > > > ./libexec/squid_ldap_group -b cn=Users,dc=jadeb,dc=com -f "(&(dn=%v)(memberOf=%a))" >-h 192.168.254.23 > daniel cn=WebAccess,cn=Users,dc=jadeb,dc=com > ERR > daniel WebAccess > ERR > > > I am sure its just a matter of working out the right filter and possibly > the base name, but I don't know what else to try. Perhaps you understand > ldap better and can point me in the right direct? > > Thanks. -- Henrik Nordstrom <[EMAIL PROTECTED]> MARA Systems AB, Sweden
