Craig Home wrote: > > Hi, > > I have been trying to use squid_ldap_match with Active directory with not > much success, I have built everything but just can't see to get the > parameters correct. > > I am also unsure whether I just have to use the match, or also do an > ldap_auth on the user beforehand - if you can clarify whether this is > required - thanks.
%LOGIN in external_acl_type uses your auth_param settings for authentication to determine the login name before the login can be sent to the external acl helper.. so you need both helpers but only one acl. > I am trying to match up a group which is situated in: > > cn=INTERNETUSERS,cn=Users What is your squid_ldap_auth parameters? With current squid_ldap_match (or _group) helpers there is a direct relation between squid_ldap_auth and squid_ldap_match arguments.. > The Base dn = dc=top,dc=sy,dc=turvy > > Ok, > > So I am trying to match the group with squid_ldap_match with Squid 2.5 > stable2 compiled from source with openldap on Redhat 7.3 (fully patched) > > (Standalone) > > squid_ldap_match -b "dc=top,dc=sy,dc=turvy" -f "(%(cn=%u)(cn=%g))" -h > 193.116.22.122 -p 389 This filter does not look right. The same LDAP object cannot have two cn values.. The first should be member=%u I think. The filter should also specify the type of object to look for (objectClass=groupOfNames) > in the squid.conf file > > external_acl_type ldap_group %LOGIN /path/to/squid_ldap_match > -b "dc=top,dc=sy,dc=turvy" -f "(%(cn=%u)(cn=%g))" -h 193.116.22.122 -p 389 > > acl firstrule external ldap_group INTERNETUSERS > > I am particular interested in any debug options you can specify to further > debug whether I have the filter options correctly. How would I test these > filters out in relation to active directory as I don't know whether the %u > or %g are returning the correct values? There is an undocumented debug parameter to squid_ldap_match.. -d 1 will enable debug output of the constructed search filters etc. > Can I capture what is sent to STDIN so I can look at the returned results? Not easily, but it is trivial to test the helper manually. It expects plain lines with just user group One peculartiy to keep in mind with AD is that depending on your security settings you may need to specify a "dummy" user to bind as while performing the searches. Not all AD installations allow anonymous LDAP searches within the directory.For security reasons this dummy user should have least possible privileges, just barely enought to be allowed to search the LDAP directory. Experimenting a little with ldapsearch to get familiar with how your LDAP server operates is recommended. Once you get the hang of ldapsearch, translating the knowledge to squid_ldap_match (or squid_ldap_group which is another name for the same helper) is trivial. Regards Henrik
