Re: [squid-users] Problem with squid_ldap_auth

Mon, 12 Jul 2004 06:53:42 -0700 


Hi,

Wouldn't a group LDAP check be required using squid_ldap_group?

Add some config lines like:

external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h server -p 389 -P -b o=domain -F "uid=%s" -f "(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))"

    acl proxy_group          external  ldap_group proxy

    http_access allow allowed_networks proxy_group

Something like this in addition to user authentication is what is working here at KCL.

Tim

----------------------------------------------------------------------
Timothy E. Neto
Computer Systems Engineer              Komatsu Canada Limited
Ph#: 905-625-6292 x265                 1725B Sismet Road
Fax: 905-625-6348                      Mississauga, Ontario, Canada
E-Mail: [EMAIL PROTECTED]               L4W 1P9
----------------------------------------------------------------------



Martijn Moret wrote:

Hi,

I have a problem with squid_ldap_auth.
I use it to authorize against M$-AD, no problems so far.
I all works with the following:
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b
"OU=Gebruikers,DC=domain,DC=org" -s sub -D
"cn=administrator,ou=beheer,dc=domain,dc=org" -w "password" -h server -p
389 -v 3 -f sAMAccountName=%s

Now I also want to check if the user is a member of a AD group, so I did
the following:
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b
"OU=Gebruikers,DC=domain,DC=org" -s sub -D
"cn=administrator,ou=beheer,dc=domain,dc=org" -w "password" -h server -f
"(&(sAMAccountName=%s)(memberOf=CN=Internet-Users,OU=Gebruikers
Groepen,OU=Gebruikers,DC=domain,DC=org))"

This works great from the command line: a user who is a member get's OK
and if you are not a member it shows ERR. This is what I want.
I just can't get it to work from within squid. In the cache.log the
following line appears when authenticating:
squid_ldap_auth: WARNING, LDAP search error 'Bad search filter'

I'm using squid/2.5.STABLE4 on solaris 9.

Any help??

Regards
Martijn



I solved the problem by creating a wrapper around the squid_ldap_auth as
the space in the OU "Gebruikers Groepen" will not parse (IMHO).
The entry in squid.conf is now as followes:
auth_param basic program /usr/local/squid/libexec/wrapper_ldap_auth.sh

And the wrapper itself:
#!/usr/bin/ksh
/usr/local/squid/libexec/squid_ldap_auth -b
"OU=Gebruikers,DC=domain,DC=org" -s sub -D
"cn=administrator,ou=beheer,dc=domain,dc=org" -w "password" -h server -f
"(&(sAMAccountName=%s)(memberOf=CN=Internet-Users,OU=Gebruikers
Groepen,OU=Gebruikers,DC=domain,DC=org))"

I know you should check for a member in a group instead of a group in a
member,
but in AD the CN is mapped as a member en we use the sAMAccountName...

Greetz
Martijn





Reply via email to