Hello Maxime,
The external LDAP helper "squid_ldap_group" only does a group check. You need to also use the external authentication helper "squid_ldap_auth".
Try something like:
------------------------------------------------------------------------------------------------
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY
auth_param basic program /usr/lib/squid/squid_ldap_auth -h ldapserver -p port# -P -b "ou=****,dc=******" -f "uid=%s"
auth_param basic children 10 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 minute
external_acl_type ldap_group %IDENT /usr/lib/squid/squid_ldap_group -b "ou=****,dc=******" -f "uid=%v" -h ldapserver
refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
# acl users ident my_users acl my_users external ldap_group my_users
http_access allow all my_users http_access deny all
http_reply_access allow all my_users http_reply_access deny all
icp_access allow all my_users icp_access deny all
coredump_dir /var/spool/squid
------------------------------------------------------------------------------------------------
Note: the "acl" definitions are logical "or', and the "http_access", "http_reply_access", and "icp_access" definitions are logical "and". Also, you never properly referenced the external LDAP group check properly.
Hope this helps. Please reply to the Squid mailing list, so others may help or improve on my replies. This way all can learn and benefit.
Thanks.
Tim
----------------------------------------------------------- Timothy E. Neto Computer Systems Engineer Komatsu Canada Limited Ph#: 905-625-6292 x265 1725B Sismet Road Fax: 905-625-6348 Mississauga, Canada E-Mail: [EMAIL PROTECTED] L4W 1P9 -----------------------------------------------------------
Maxime Chambreuil wrote:
Hi squid-users,
I want to setup a proxy server for statistics purposes. So all the browsers on the network will be configured to reach the internet through Squid.
I want statistics per user, so I am getting the login with identd installed on each computers on the network. Security issue about ident is not my problem here.
Then I want to check that the username returned by ident is present in the LDAP authentication server and allow/deny the internet access depending on the users privileges.
After reading the mailing-list and FAQ, I came up with the idea that it was possible and with the following configuration:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY
external_acl_type my_users %IDENT /usr/lib/squid/squid_ldap_group -b "ou=****,dc=******" -f "uid=%v" -h ldapserver
refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl users ident my_users
http_access allow users http_access deny all
http_reply_access allow users
http_reply_access deny all
icp_access allow users icp_access deny all
coredump_dir /var/spool/squid
Unfortunately this is not working : It doesn't matter if the user is in LDAP or not, I was always refused...
I tried to use squid_ldap_group on the command line. It's working if I give the username and password, so I wonder how I can get a "OK" just if the user is present.
Any help or ideas would be greatly appreciated.
Thanks
