On Mon, 14 Nov 2005, Andreas Bittner wrote:
im trying to figure out how the squid_ldap_auth and squid_ldap_group
stuff works, and im kinda new to ldap. i like to setup and understand a
very basic setup.
squid_ldap_auth verifies the users password by trying to log in to the
LDAP directory using the user supplied password.
squid_ldap_group checks if the user is member of a given group by
searching for the membership in the LDAP directory.
my problem of understanding is basically, if i have a simple company
(ldap tree) like on that page, with three groups, it-services, sales and
management, how do i create a group that is allowed to surf the google
pages. i somehow cant figure out what the ldap tree is going to look
like then?
Do you need an additional group, or can you construct your criteria based
on the existing groups?
also do i need to use both the squid_ldap_auth and squid_ldap_group
yes, most likely.
i dont quite understand what the author of the page means by
A group is just a list of dinstiguished names
This is an LDAP term.
In LDAP everything (user, group, computer, company, table, spoon, office,
chair, whatever) has a dinstiguished name which identifies the object
within the LDAP tree. Normally groups in LDAP is constructing by listing
the objects which are member of the group by their dinstiguished name.
DN: CN=SomeGroup, OU=Engineering, DC=company, DC=com
CN: Some Group
objectClass: groupOfNames
member: CN=Some User, OU=Engineering, DC=company, DC=com
member: CN=Another User, OU=Engineering, DC=company, DC=com
Other ways also exists. LDAP is just an standard on how to access
directory data, not how it should be organized. Another quite common
method is to list the members by their login name, not caring that much
for the LDAP structure of things.
squid_ldap_group requires that the group object lists it's members either
by the login name, or by the corresponding user objects dinstiguished
names.
Regards
Henrik
