On Sat, 12 Feb 2005, Adrian Malaguti wrote:
They are using squid_ldap_auth and squid_ldap_group modules. It seems to be a problem with group membership attributes, the valiu for member attribute returned by both ldap servers are different. When querying to openldap it returns:
# g_http_internet, poderjudicial, gub, uy dn: cn=g_http_internet, dc=poderjudicial,dc=gub,dc=uy objectClass: groupOfNames objectClass: top "member: cn=csomma"
This is not a correct member of a groupOfNames.. the member should be the full DN of the member user, not just the CN.
But when querying to eDir LDAP it returns: # g_http_internet, poderjudicial dn: cn=g_http_internet,o=poderjudicial objectClass: groupOfNames objectClass: Top "member: cn=csomma,ou=divTec,ou=dgsa,ou=scj,o=poderjudicial"
Looks good.
This is the current configuration with openldap (which works fine), but doesn't work with eDir LDAP. #external_acl_type ldap_group_helper %LOGIN /usr/local/squid/libexec/squid_ldap_group -d -b "dc=poderjudicial,dc=gub,dc=uy" -B "dc=poderjudicial,dc=gub,dc=uy" - h localhost -f "(&(objectclass=groupOfNames)(cn=%a)(member=cn=%u))"
You need to use the -F flag to tell squid_ldap_group how to find the user from the login name. Same as teh -f flag to squid_ldap_auth.
Note that the -f flag needs to be changed somewhat by removing any DN components from the member attribute match (memeber=%u instead of member=cn=%u).
For clarity I would recomment using %g instead of %a. Especially considering you are already using %u for the user.. (initial version of squid_ldap_group used %a/%v, current versions uses %g/%u but also supports the older codes..)
Regards Henrik
