On Wed, 23 Jun 2004 [EMAIL PROTECTED] wrote: > i want to use squid_ldap_match Squid ist Version 2.5 Stable 3 to check in > ADS groupmemberships of LDAP users. Must i first use squid_ldap_auth to > check for the user, or can i use only squid_ldap_match? > How must i do this?
You need both. Note: squid_ldap_match is known by the name squid_ldap_group these days and shipped with the Squid distribution. > I need an configuration example. > > My squid.conf > > auth_param basic program /usr/sbin/squid_ldap_auth -p xxx -u cn -R -b > ou=Users,ou=abc,ou=edf,dc=a,dc=b,dc=com -D > cn=Squid,ou=Users,ou=abc,ou=edf,dc=a,dc=b,dc=com -W xxxxx -f > "SamAccountName=%s" myADSserver Looks OK. You don't need the -u option in combination with -f, but it won't harm you either. > external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_match -B > ou=Users,ou=abc,ou=edf,dc=a,dc=b,dc=com -F "SamAccountName=%S" -D cn=Squid > ,ou=Users,ou=abc,ou=edf,dc=a,dc=b,dc=com -W xxxxx -b > cn=xxxxx,ou=Groups,ou=abc,ou=edf,dc=a,dc=b,dc=com -f"(&(SamAccountName > =%S)(member=%v))" -h myADSserver -p xxx Also looks OK. Both can be tested easily from the command line. squid_ldap_auth expects username password as input, and squid_ldap_group (or _match) expects username group as input. > http_access allow Autorized > > http_access allow internetuser This looks odd... first you allow access for all authenticated users, then users belonging to the correct group. Most likely you should get rid of the first http_access rule here. Regards Henrik
