Re: [squid-users] squid_ldap_group user authorization

[Jayesh Kamdar <jkamdar@xxxxxxxxx>]

Yes, I tried a search filters with ldapsearch. (ldapsearch -h ldapsrv1 
-D "uid=jkamdar,o=mitre.org" -b "o=mitre.org" cn="Kamdar,Jayesh H.")

Now, before I get into details about syntex with squid ...I am confused 
about
   - squid_ldap_match
   - squid_ldap_auth
   - squid_ldap_group

I do have binaries for squid_ldap_match and squid_ldap_auth but I can 
only find man page on the net for squid_ldap_group. It looks like I need 
to use squid_ldap_group for what I need to do. Where can I find it?

Please let me know. Sorry for asking some basic quesions but I am new to 
all these and really confused.

Thanks for your help,
Jayesh

Ytzhak Levy wrote:

> Did you test this filter and your credentials with ldapsearch ?
> this is the first step.
>
> then test squid_auth_auth from a terminal. I dont know if squid_ldap_auth have a debug mode as squid_ldap_group.
>
> squid_auth_ldap didnt work in my site, but i build a perl script that do (basically) the same thing:
>
> #!/usr/bin/perl
>
> $| = 1;
> while(<>){
>
>        ($user,$passwd) = split;
>        $res = system("ldapsearch -h SERVR_IP -b BASE_SEARCH -D \"AD_domain\\$user\" -w $passwd \"(sAMAccountName=$user)\" > /dev/null");
>        if ($res == 0){ print "OK\n"; }
>        else { print "ERR\n"; }
>
> }
>
> this works well in Active Directory.
>
> replace the filter with the attributes that you want to find.
>
>
> cheers
>
>
>  
>
> > Please tell me your syntax that you use in your conf. file.
> >
> > Here is what I have ...
> >
> > auth_param basic program /usr/lib/squid/squid_ldap_auth -h 
> > ldapsrv1.mitre.org -b "o=mitre.org" -D "ou=people,o=mitre.org" -f 
> > "(&(CN=%s)(memberOf=CN=osis_proxyauth_lg))"
> >
> > So when I tried to use this proxy, the dialog box pops up. I type 
> > in username and pasword but it fails with error in squid.log ...
> > 1111177616.481     12 india.mitre.org TCP_DENIED/407 1742 POST 
> > http://shttp.msg.yahoo.com/notify/ jkamdar NONE/- text/html
> >
> > It doesn't even tries to access my ldapserver, so something is 
> > wrong on my config.
> >
> > Can you please help me out?
> >
> > Thanks,
> > Jayesh
> >
> > Ytzhak Levy wrote:
> >
> >    
> >
> > > Thanks !!!
> > >
> > > All works fine now.
> > >
> > > The only thing that i have to did is to put AD_domain\\lookup, in 
> > > the login name param.
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > >
> > >
> > >      
> > >
> > > > On Sat, 19 Mar 2005, Ytzhak Levy wrote:
> > > >
> > > >
> > > >
> > > >        
> > > >
> > > > > #dn of group: CN=CGI - Rede,OU=Global,OU=Grupos,DC=mydomain,DC=com
> > > > > acl REDE_GRP external ldap_group CGI\ -\ Rede
> > > > >
> > > > >
> > > > >          
> > > > This does not work.
> > > >
> > > > Currently the only way to define acl elements with spaces in 
> > > > them is to use an acl file.
> > > >
> > > > acl REDE_GRP external ldap_group "/path/to/group.txt"
> > > >
> > > > where /path/to/group.txt contains
> > > > CGI - Rede
> > > >
> > > > Regards
> > > > Henrik
> > > >
> > > >
> > > >        
> > >
> > >      
>
>