Clayton York wrote:
Hi All,
I am a newbie to Linux and squid and require some assistance please.
I am running a server on CENTOS release 5.2 (Final), and have configured squid
(2.6.STABLE21-3) for ldap group authentication with Active Directory.
I have seen in the man page for the squid_ldap_group there is an -S option to
strip the NT domain name from the username. I have added the -S to our
squid.conf file, squid_ldap_group section however this does not seem to strip
the domain name as from the access.log file I can see that squid still passes
the domain\username through to AD which then fails.
Please find my squid authentication configuration below.
auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=domnet,dc=bbd,dc=co,dc=za" -D
"cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f
sAMAccountName=%s -h 10.3.1.216
auth_param basic children 5
auth_param basic realm Your Organisation Name
auth_param basic credentialsttl 1 hour
external_acl_type InetGroup ttl=60 %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "dc=domnet,dc=bbd,dc=co,dc=za"
-D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f
"(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,ou=SquidUsers,dc=bbdnet,dc=bbd,dc=co,dc=za))" -S
-h 10.3.1.216
You are using %v and %a in the search filter, but the man page reads...
-f filter
LDAP search filter used to search the LDAP directory
for any
matching group memberships. In the filter %u will be
replaced
by the user name (or DN if the -F or -u options are used)
and %g
by the requested group name.
acl InetAccess external InetGroup SquidUsersAllow
Please if anyone has any insight into what I might be missing please let me
know.
Thank you,
Clayton York
Chris
