On Sat, 3 Apr 2004 [EMAIL PROTECTED] wrote: > the relevant parts of my squid.conf look like this: > > ---- > auth_param basic program /usr/lib/squid/ldap_auth -b > ou=people,dc=mhcsoftware,dc=de localhost > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours
Needed. This defines authentication. > external_acl_type ldap %LOGIN /usr/lib/squid/squid_ldap_group > -b "ou=groups,dc=mhcsoftware,dc=de" > -f "(&(memberUid=%v)(cn=%a)(objectClass=posixGroup))" > -B "ou=people,dc=mhcsoftware,dc=de" > -F "(uid=%s)" Needed. This defines how Squid is to evaluate LDAP group based authorization (not authentication). But the arguments does not match your squid_ldap_auth. As you are not using a user filter in squid_ldap_auth you should not do so in squid_ldap_group either.. just make the exact group membership filter matchign groups where the login name is member. Most likely you should just drop the user filter (and basedn) arguments here but it depends on what your group objects look like. I would recommend playing a little with ldapsearch. Note: You are using a very old and obsolete group filter syntax. The current versions of the squid_ldap_group helper uses %g and %u for group and user respectively (but still understands the older %a %v codes). > acl ldapauth proxy_auth REQUIRED This is only needed if you really want to base access controls on "all authenticated users". > acl ldapGauth external ldap squid Normally this one is sufficient when using LDAP groups.. > http_access allow ldapGauth Ok. > this seems to work, as i can do a correspoing ldapsearch without any > problem. then it tries the goup lookup: > > Apr 3 15:50:30 server slapd[20926]: conn=32 op=1 SRCH > base="ou=groups,dc=mhcsoftware,dc=de" scope=2 > filter="(&(memberUid=uid=test,ou=people,dc=mhcsoftware,dc=de)(cn=squid)(obj > ectClass=posixGroup))" > > and i think thats the problem. when i try this as a ldapsearch i get no > result. but when i seach for: > > (&(memberUid=test)(cn=squid)(objectClass=posixGroup)) Ok, so you are not using normal LDAP groups but instead another form of groups stored within LDAP... See above for the solution. > i get the expected result. well and that filter is what i would expect when > i look at my "squid_ldap_group" commandline. i do not understand why it > users "memberUid=uid=test,ou=people,dc=mhcsoftware,dc=de" in sead of whats > configured on the command line: "memberUid=test" This is done because you told squid_ldap_group to expand the login name into the users DN via the group filter argument. See the squid_ldap_group manual. Regards Henrik
