On Fri, 4 Feb 2005, cipher wrote:
external_acl_type ldap_group ttl=120 negative_ttl=120 %LOGIN /usr/local/squid/libexec/squid_ldap_group -b ou=squid ,o=domain.int -f "(&(uid=%v)(memberUid=%g))" -B ou=People,o=domain.int -F "uid=%s" -S -R -D uid=prox y,ou=squid,o=dmain.int -w proxy-binder -h localhost [...]
dn: cn=proxy-allow,ou=squid, o=domain.int gidNumber: 600 memberUid: test-user objectClass: posixGroup objectClass: top cn: proxy-allow
Ok, so your LDAP groups is defined with
cn = group name memberUid = login name (NOT DN) being member of the group
In squid_ldap_group terms this becomes
-f "(&(cn=%g)(memberUid=%u))"
and you should NOT use a -F flag to translate the login names to DN..
Normally in LDAP groups use the member attribute, listing full DNs of the users being members of the group, not just login names (uid), but thanks to it's flexible design squid_ldap_group doesn't really care and handles both nicely. at the cost of requiring careful configuration to match your directory design.
Regards Henrik
