On Fri, 20 Feb 2004, Ampugnani, Fernando wrote: > Hi Henrik, > In squid_ldap_auth the filter as I configure looks like... > > -f "(&(sAMAccountName=%u)(object-Class=user))" > > is ok?
Almost. You need to use %s for the username in user filters and there is no - in objectClass. It is only in group filters to squid_ldap_group that %u is used for the username. Other than this it looks ok even if I would use the more general objectClass=Person. > How many way of configure it there are? In man page I didn?t find many > variants of this. There is as many ways as there is LDAP directories and tastes in how to organise the LDAP structure. The main problem is that there is no globally accepted standard on which LDAP attribute the login name should be stored into. Microsoft uses sAMAccountName (Pre-2000 login name alone) and userPrincipalName (ADS login name including ADS domain name). Most of the rest of the world uses uid. Some use other attributes. Some have the login attribute in the DN of the user object to uniquely identify user objects by their login name. This is quite common the case when uid is used for the login name, but not always the case. Some (such as ADS) have the common name in the DN instead of using the login name. Personally I prefer having the login name in the DN as this is less likely to change over time than the human name of the person. Changing the DN of an existing object is a very complex operation as all references to this object in all related LDAP directories need to be updated. Regards Henrik
