Here's the real question - is it actually possible to have group AUTHORISATION without requiring the user to enter any login details (AUTHENTICATION), i.e. the username comes from Windows or something?
Thanks, Oliver
Oliver Hookins wrote:
OK I've sorted out the parameters to use for squid_ldap_group. I have this line in squid.conf:
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b cn=Users,dc=domain,dc=local -f "(&(cn=%g)(member=%u)(objectClass=group))" -B cn=Users,dc=domain,dc=local -F "cn=%s" -D cn=Oliver,cn=Users,dc=domain,dc=local -w password 192.168.150.100
This brings back OK when I put in users who are in various groups. For example I am in the Internet group so when I enter "Oliver Internet" it returns OK. However access through the proxy is now giving me Cache Denied Request errors:
The following error was encountered:
Cache Access Denied.
Sorry, you are not currently allowed to request:
http://www.google.com/from this cache until you have authenticated yourself.
My other acl lines that control access are below:
acl group1 external ldap_group Internet http_access allow group1
What could be going on, since I am definitely a member of the group that I am allowing access to?
Regards, Oliver
Oliver Hookins wrote:
I'm trying to authorise users of the proxy by determining if they are a member of a certain Active Directory group or not. Yes, I've read the documentation, FAQ, mailing list archives and man pages but it is still confusing to me. The version in question is 2.5STABLE3.
On the 2000 domain controller I have standard users in the Users container. The authorised internet users will also be a member of a group called Internet. So far I've been using ldapsearch to verify what sort of information will be coming out of the LDAP but I find it hard to make this correspond to the parameters I'm putting into squid_ldap_group.
For example, here's an ldapsearch line that will give me the Internet group back with a list of members:
ldapsearch -x -b cn=Internet,cn=Users,dc=domain,dc=local -D cn=Administrator,cn=Users,dc=domain,dc=local -W -h 192.168.150.100
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=Internet,cn=Users,dc=domain,dc=local> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# Internet, Users, domain.local dn: CN=Internet,CN=Users,DC=domain,DC=local member: CN=Cameron,CN=Users,DC=domain,DC=local member: CN=Oliver,CN=Users,DC=domain,DC=local cn: Internet groupType: -2147483646 instanceType: 4 distinguishedName: CN=Internet,CN=Users,DC=domain,DC=local objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=local objectClass: top objectClass: group objectGUID:: I6No/vayb0iE8uD6mxvtzg== objectSid:: AQUAAAAAAAUVAAAAPeMITdvrDFCoN9ZlVAYAAA== name: Internet sAMAccountName: Internet sAMAccountType: 268435456 uSNChanged: 746952 uSNCreated: 742415 whenChanged: 20041128224030.0Z whenCreated: 20041126041439.0Z
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
How do I turn this into a useful line for squid_ldap_group? I've tried the following with no success:
/usr/lib/squid/squid_ldap_group -b cn=Users,dc=domain,dc=local -f "(&(name=%g)(member=%u)(objectClass=group))" -D cn=Administrator,cn=Users,dc=domain,dc=local 192.168.150.100
Oliver Internet ERR CN=Oliver,CN=Users,DC=domain,DC=local Internet ERR
Also the fact that 2000 doesn't allow you to view what is going on with the LDAP queries makes it even harder. Any help will be greatly appreciated.
Regards, Oliver
This communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking any action in reliance on, this communication by persons or entities other than the intended recipient is prohibited. Exhibition IT Services Pty LTD makes no express or implied representation or warranty that this electronic communication or any attachment is free from computer viruses or other defects or conditions which could damage or interfere with the recipients data, hardware or software. This communication and any attachment may have been modified or otherwise interfered with in the course of transmission.
This communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking any action in reliance on, this communication by persons or entities other than the intended recipient is prohibited. Exhibition IT Services Pty LTD makes no express or implied representation or warranty that this electronic communication or any attachment is free from computer viruses or other defects or conditions which could damage or interfere with the recipients data, hardware or software. This communication and any attachment may have been modified or otherwise interfered with in the course of transmission.
