Re: [squid-users] Squid_ldap_auth multiple groups

Tue, 10 Aug 2004 04:56:36 -0700 


Question regarding this thread.

   Why not use "squid_ldap_group"?

Here where I work, I use "squid_ldap_auth" for individual user authentication. I use "squid_ldap_group" as an external acl type. Like:

external_acl_type ldap_group %LOGIN /path/squid_ldap_group -h ldap-host -p ### -P -b o=DN -F "uid=%s" -f
"(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))"

I then create an acl def like:

acl proxy_groups external ldap_group proxy_subcompany_a proxy_subcompany_b proxy_subcompany_c proxy_headoffice
or
acl restricted_groups external ldap_group proxy_subcompany_a proxy_subcompany_b proxy_subcompany_c proxy_headoffice

Finally a http_access def to use the group control, like:

   http_access allow our_networks proxy_groups

If you use "squid_ldap_auth" for group control, then why was "squid_ldap_group" created?

Tim

-----------------------------------------------------------
Timothy E. Neto
Computer Systems Engineer         Komatsu Canada Limited
Ph#: 905-625-6292 x265            1725B Sismet Road
Fax: 905-625-6348                 Mississauga, Canada
E-Mail: [EMAIL PROTECTED]          L4W 1P9
-----------------------------------------------------------



Henrik Nordstrom wrote:

On Tue, 10 Aug 2004, Stefan Thomas wrote:

/usr/local/squid/libexec/squid_ldap_auth -b "" -D "cn=name,o=name" -w
passwd -h ip-adr -f
(&(&(cn=%s)(objectClass=person))(groupMembership=cn=Internet,ou=name,ou=
name,o=name))

This works very well. No I have a new challenge to solve. I want to
check is the authorised user in the group "internet" OR "marketing" OR
"normal" OR ...

He should be in one !! of these groups, not in all ! 


See RFC2254

& is AND
| is OR

(&(cn=%s)(objectClass=person)(|(groupMembership=cn=Internet,ou=name,ou=name,o=name)(groupMembership=cn=Marketing,ou...)(groupMembership=cn=Normal,ou..)(...))) 



But personally I would make the setup as follows

1. One single group which determines if the user should at all be allowed to use the Internet, if not all users should be allowed. This is optional.

2. A number of groups verified by squid_ldap_group for giving different levels of access to the Internet.

Regards
Henrik

Reply via email to