Search squid archive

Re: [squid-users] squid_ldap_group with novell ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 12 Feb 2005, Adrian Malaguti wrote:

They are using squid_ldap_auth and squid_ldap_group modules.
It seems to be a problem with group membership attributes, the valiu for
member attribute returned by both ldap servers are different.
When querying to openldap it returns:

# g_http_internet, poderjudicial, gub, uy
dn: cn=g_http_internet, dc=poderjudicial,dc=gub,dc=uy
objectClass: groupOfNames
objectClass: top
"member: cn=csomma"

This is not a correct member of a groupOfNames.. the member should be the full DN of the member user, not just the CN.


But when querying to eDir LDAP it returns:
# g_http_internet, poderjudicial
dn: cn=g_http_internet,o=poderjudicial
objectClass: groupOfNames
objectClass: Top
"member: cn=csomma,ou=divTec,ou=dgsa,ou=scj,o=poderjudicial"

Looks good.

This is the current configuration with openldap (which works fine), but
doesn't work with eDir LDAP.
#external_acl_type ldap_group_helper %LOGIN
/usr/local/squid/libexec/squid_ldap_group -d -b
"dc=poderjudicial,dc=gub,dc=uy" -B "dc=poderjudicial,dc=gub,dc=uy" -
h localhost -f "(&(objectclass=groupOfNames)(cn=%a)(member=cn=%u))"

You need to use the -F flag to tell squid_ldap_group how to find the user from the login name. Same as teh -f flag to squid_ldap_auth.


Note that the -f flag needs to be changed somewhat by removing any DN components from the member attribute match (memeber=%u instead of member=cn=%u).

For clarity I would recomment using %g instead of %a. Especially considering you are already using %u for the user.. (initial version of squid_ldap_group used %a/%v, current versions uses %g/%u but also supports the older codes..)

Regards
Henrik

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux