Hi, well, the name shouldn't matter... Now i spent my day with playing with ldapsearch:
ldapsearch -h dhc-server -p 389 -D [EMAIL PROTECTED] -w sEcReT -x -b dc=dhc-gmbh,dc=com "(sAMAccountName=keppner)" returns me all information about my own account; this is, what in (squid_)ldap_auth is used: "auth_param basic program /usr/lib/squid/ldap_auth -b dc=dhc-gmbh,dc=com -R -D [EMAIL PROTECTED] -w SeCrEt -f sAMAccountName=%s 192.168.42.10" works fine. This is my squid_ldap_group - command in squid.conf external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b dc=dhc-gmbh,dc=com -D [EMAIL PROTECTED] -w SeCrEt -f "(&(cn=Mitarbeiter)(member=uid=%u)) -F (sAMAccountName=%s) -h 192.168.42.10 -p 389 I think, the -F argument is correct, because it works in the auth-command. Am i right: squid_ldap_group first searches with the -F argument, and checks this account data against the filter in the -f argument? I don't understand the meaning of the (member=uid=%u) condition. When i search with ldapsearch and the Filter CN=Mitarbeiter, then i get a list with all members of the group Mitarbeiter, where i can see, that i'm a member. But i still get no access to the cache. In my squid.conf i've written the external_acl_type and: acl Mitarbeiter external ldap_group Mitarbeiter and http_access allow password dhc Mitarbeiter the http_access line is inserted below the # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS line, dhc stands for our IP-Subnet and password for the acl password proxy_auth REQUIRED. Is there an error in the -f definition? Greetings Christoph -----Original Message----- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Saturday, December 20, 2003 1:01 AM To: Keppner, Christoph Cc: 'Henrik Nordstrom ' Subject: Re: AW: AW: AW: [squid-users] squid_ldap_group authentication against Act ive Directory On Fri, 19 Dec 2003, Keppner, Christoph wrote: > This is a part of the squid-packet from Debian, except ldapauth, this is a > bash-script written by myself... > > I never had a command squid_ldap_auth, only ldap_auth... What is going wrong > here? Maybe a oddity of the Debian packaging, I do not know. This is how a fully populated libexec directory looks in current source releases: -rwxr-xr-x 1 henrik users 138184 Dec 18 12:10 cachemgr.cgi -rwxr-xr-x 1 henrik users 77200 Dec 18 12:11 digest_pw_auth -rwxr-xr-x 1 henrik users 307366 Dec 18 11:58 diskd -rwxr-xr-x 1 henrik users 71353 Dec 18 12:11 fakeauth_auth -rwxr-xr-x 1 henrik users 60628 Dec 18 12:10 getpwname_auth -rwxr-xr-x 1 henrik users 43333 Dec 18 12:11 ip_user_check -rwxr-xr-x 1 henrik users 173621 Dec 18 12:11 msnt_auth -rwxr-xr-x 1 henrik users 79498 Dec 18 12:11 ncsa_auth -rwxr-xr-x 1 henrik users 5925 Dec 18 12:11 no_check.pl -rwxr-xr-x 1 henrik users 178137 Dec 18 12:11 ntlm_auth -rwxr-xr-x 1 henrik users 73580 Dec 18 12:11 pam_auth -rwxr-xr-x 1 henrik users 75480 Dec 18 12:11 sasl_auth -rwxr-xr-x 1 henrik users 63865 Dec 18 12:11 smb_auth -rwxr-xr-x 1 henrik users 3962 Dec 18 12:11 smb_auth.pl -rwxr-xr-x 1 henrik users 2280 Dec 18 12:11 smb_auth.sh -rwxr-xr-x 1 henrik users 79150 Dec 18 12:10 squid_ldap_auth -rwxr-xr-x 1 henrik users 52109 Dec 18 12:11 squid_ldap_group -rwxr-xr-x 1 henrik users 36074 Dec 18 12:11 squid_unix_group -rwxr-xr-x 1 henrik users 296072 Dec 18 12:10 unlinkd -rwxr-xr-x 1 henrik users 85661 Dec 18 12:11 wb_auth -rwxr-xr-x 1 henrik users 69776 Dec 18 12:11 wb_group -rwxr-xr-x 1 henrik users 1331 Dec 18 12:11 wbinfo_group.pl -rwxr-xr-x 1 henrik users 100015 Dec 18 12:11 wb_ntlmauth -rwxr-xr-x 1 henrik users 74889 Dec 18 12:11 yp_auth With these man pages -rw-r--r-- 1 henrik users 2699 Dec 18 12:11 pam_auth.8 -rw-r--r-- 1 henrik users 3196 Dec 18 12:10 squid.8 -rw-r--r-- 1 henrik users 6405 Dec 18 12:10 squid_ldap_auth.8 -rw-r--r-- 1 henrik users 5261 Dec 18 12:11 squid_ldap_group.8 -rw-r--r-- 1 henrik users 1586 Dec 18 12:11 squid_unix_group.8 Regards Henrik
