On Wed, 1 Dec 2004 [EMAIL PROTECTED] wrote:
I hope this has not been addressed anywhere in the mailing lists. I did a search and couldn't find anything, and I've already RTFM'd.
I don't understand how to set up the squid_ldap_group external acl type.
Start with setting up squid_ldap_auth WIHTOUT any group restrictions. Then loog into configuring squid_ldap_group. You need both.
This is what I've got so far:
external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b <basedn> -D <squidaccount> -w <passwd> -f "(&(cn=%v)(groupMembership=cn=<group1dn>))" -h ldap.host
This is almost correct, but the group search filter should look for both the username and the group name, neither hardcoded. The group name is then specified in the acl.
Usually thinks looks something like the following:
auth_param basic program /path/to/squid_ldap_auth -f "(&(uid=%s)(objectClass=person))" -b dc=yourcompany,dc=com -h your.ldap.server
external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group -F "(&(uid=%s)(objectClass=person))" -f "(&(member=%u)(cn=%g))" -b dc=yourcompany,dc=com -h your.ldap.server
acl ldap_group_1 external ldap_group groupname1 acl ldap_group_2 external ldap_group groupname2 ...
then ldap_group_1 and ldap_group_2 is used in your http_access rules as required to authorize users access to the proxy.
in the above uid=%s is assuming users are identified by their uid attribute in your LDAP directory, and cn=%g that groups are identified by their CN, and that the base DN of your LDAP tree is dc=yourcompany,dc=com
Regards Henrik
