Henrik Nordstrom wrote: > squid_ldap_group checks if the user is member of a given group by > searching for the membership in the LDAP directory. i think this step is my problem. how do i tell the squid_ldap_group the group it should actually check the HTTP-AUTHenticated user against? > DN: CN=SomeGroup, OU=Engineering, DC=company, DC=com > CN: Some Group > objectClass: groupOfNames > member: CN=Some User, OU=Engineering, DC=company, DC=com > member: CN=Another User, OU=Engineering, DC=company, DC=com ok, so for the example on the page <http://workaround.org/moin/SquidLdap> i have created the ldif: DN: CN=googleallowed, OU=Proxygroups, DC=company CN: googleallowed objectClass: groupOfNames member: CN=Tim, OU=IT-Services, DC=company member: CN=Tina, OU=Management, DC=company is this correct? so when i first try to surf the web, my browser comes up with a username/password http-authentication window. if i enter Tim/Timspassword there, the the squid_ldap_group should check in the LDAP-Database if Tim belongs to a certain group. But how do i tell the program which group i want? what does the %a parameter mean in here exactly, or rather where does it come from and with what does it get filled? > external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b o=Company > -f (&(objectclass=person)(cn=%v)(groupMembership=cn=%a,ou=Proxygroups,o=Company)) > -D cn=Tim,ou=IT-Services,o=Company -w timspassword -h ldapserver the %LOGIN is the username "Tim" which i enter in my browser, also the parameter %v, but how does it select the actual group where i want to check if "CN=Tim, OU=IT-Services, DC=company" actually is a member? I have to submit the groupname "googlegroups" somehow, but i am missing this step.... or does the acl line: > acl ldapgroup-googleallowed external ldapgroup googleallowed does this very checking against the groupd "googleallowed"? since it's using ldapgroup which again derives from external_acl_typ ldapgroup %LOGIN.... Thanks already. Regards.
