Hi Erwann,
Sorry I forgot to specify that I have got an http_access rule below which does work, I can authenticate when using only the username and password in AD but not when using domain\username. http_access allow InetAccess Clayton York -----Original Message----- From: Erwann PENCREACH [mailto:[email protected]] Sent: Friday, July 10, 2009 1:38 PM To: [email protected] Subject: Re: [squid-users] Help Please : NT Domain name stripping in squid_ldap_group Hi, there is no access rule below You need at least one to grant or deny access for instance this is one of mine : #### external_acl_type loggeduser %DST %SRC /squid_script_path/loggeduser_acl.sh acl isok external loggeduser http_access allow isok ### where /squid_script_path/loggeduser_acl.sh get uid of the user logged on %SRC (ask samba to tell), check acces type to the internet defined in a ldap directory then return OK or KO depending on the url and the effective rights Clayton York a écrit : > Hi All, > > > I am a newbie to Linux and squid and require some assistance please. > > I am running a server on CENTOS release 5.2 (Final), and have configured > squid (2.6.STABLE21-3) for ldap group authentication with Active Directory. > I have seen in the man page for the squid_ldap_group there is an -S option to > strip the NT domain name from the username. I have added the -S to our > squid.conf file, squid_ldap_group section however this does not seem to strip > the domain name as from the access.log file I can see that squid still passes > the domain\username through to AD which then fails. > > Please find my squid authentication configuration below. > > auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b > "dc=domnet,dc=bbd,dc=co,dc=za" -D > "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f > sAMAccountName=%s -h 10.3.1.216 > auth_param basic children 5 > auth_param basic realm Your Organisation Name > auth_param basic credentialsttl 1 hour > > > external_acl_type InetGroup ttl=60 %LOGIN > /usr/lib64/squid/squid_ldap_group -R -b "dc=domnet,dc=bbd,dc=co,dc=za" > -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w > "password" -f "(&(objectclass=person)(sAMAccountName=%v) > (memberof=cn=%a,ou=SquidUsers,dc=bbdnet,dc=bbd,dc=co,dc=za))" -S -h > 10.3.1.216 > > > acl InetAccess external InetGroup SquidUsersAllow > > > Please if anyone has any insight into what I might be missing please let me > know. > > > Thank you, > > Clayton York > -- > Ce courrier électronique a été vérifié et est exempt de virus connus à ce > jour. > Contactez votre administrateur pour plus de renseignement. > [email protected] -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. [email protected]
