Hi, I'm seeking some Squid or ldap guru help ! we are working in a customer site trying to configure Squid authentication to eDirectory LDAP using groups membership. Current implementation is working fine with openldap, but when we try eDirectory LDAP it fails. They are using squid_ldap_auth and squid_ldap_group modules. It seems to be a problem with group membership attributes, the valiu for member attribute returned by both ldap servers are different. When querying to openldap it returns: # g_http_internet, poderjudicial, gub, uy dn: cn=g_http_internet, dc=poderjudicial,dc=gub,dc=uy objectClass: groupOfNames objectClass: top "member: cn=csomma" But when querying to eDir LDAP it returns: # g_http_internet, poderjudicial dn: cn=g_http_internet,o=poderjudicial objectClass: groupOfNames objectClass: Top "member: cn=csomma,ou=divTec,ou=dgsa,ou=scj,o=poderjudicial" This is the current configuration with openldap (which works fine), but doesn't work with eDir LDAP. #external_acl_type ldap_group_helper %LOGIN /usr/local/squid/libexec/squid_ldap_group -d -b "dc=poderjudicial,dc=gub,dc=uy" -B "dc=poderjudicial,dc=gub,dc=uy" - h localhost -f "(&(objectclass=groupOfNames)(cn=%a)(member=cn=%u))" Forcing member= full distinguised name, it works, but here the problem is with sublevels contexts under o=poderjudicial. external_acl_type ldap_group_helper %LOGIN /usr/local/squid/libexec/squid_ldap_g roup -d -b "o=poderjudicial" -B "o=poderjudicial" -s sub -h 10.0.3.61 -f "(&(obj ectclass=groupOfNames)(cn=%a)(member=cn=%u,o=poderjudicial))" Is there a way to put something in the filter like member=fdn, or member=%u*, we tried with -F also but it doesn't work. Or setting the filter to match the full distinguished name ? Thanks !! Adrian.
