>I´ve added the following to squid.conf: > >external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b >"CN=Users,DC=heidelberg,DC=bw-online,DC=de" -f >"(&(cn=%g)(memberUid=%u)(objectClass=ebay))" -B "CN=Users" -F "(CN=%s)" -D >>"CN=ldap,CN=Users,DC=heidelberg,DC=bw-online,DC=de" -w "PASSWORD" -h >dc2.heidelberg.bw-online.de -v 3 -K > >ebay ist he group that contains the users which should be allowed, this group >is in the container Users. The user to read the AD is ldap, also located in >the container Users. > >I´ve the deleted the acl and the http_access for the authenticated users with >kerberos and added the following: > >acl ldapgroup-access external ldapgroup @HEIDELBERG.BW-ONLINE.DE
That's wrong, according to you, ebay is the group? xternal_acl_type ldapgroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "DC=domain,DC=local" -D "CN=LDAP,OU=Service Accounts,OU=Some OU,DC=domain,DC=local" -W /etc/squid/squid_ldap_group_secret -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Some OU,OU=Another OU,DC=domain,DC=local))" -h 192.168.0.2 -d -K acl ldapgroup-access external ldapgroup ebay That's how I do it. >http_access allow all ldapgroup-access > >But now, event members oft he ebay-group get a denied. Can anyone see my >mistake ? Probably finish that with: http_access deny !<auth acl name> http_access allow ldapgroup <auth acl name> all You can also run that external_acl_type from the cli and enter user/group pairs separated by a space and see the results. Also adding a -d will show what was sent as a query to the ldap server ni your cache log. Hth, jlc
