CsY a écrit : > where cn=doe in user in internet group? > And what way could i use, when i have 200internet user in 500users > network? > i think, i put all needed user in internet group, and this will work. > any idea? > > thanks > The helper uses the base DN ( -b option ) as a root to create the query ( -f option ). In your config : >>>>> auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b >>>>> "ou=peoples,dc=mydomain,dc=com" ldap >>>>> >>>>> external_acl_type ldap_group %LOGIN >>>>> /usr/lib/squid/squid_ldap_group -ZZ >>>>> -b "cn=netgroup,ou=groups,dc=mydomain,dc=com" -f >>>>> "(&(objectclass=posixGroup)(cn=%a)(member=%v))" -B >>>>> "ou=peoples,dc=mydomain,dc=com" -F uid="%s" -w pass >>>>> serveraddress:serverport >>>>> >>>>> acl password proxy_auth REQUIRED >>>>> acl password_group external ldap_group internet >>>>> >>>>> >>>>> >>>> the helper will search something like "cn=doe,cn=netgroup,ou=groups,dc=mydomain,dc=com". But if I remember, it is impossible to have more than one cn in a DN. Something like -b "ou=groups,dc=mydomain,dc=com" -f "(&(objectclass=posixGroup)(cn=%g)(member=%u))" and the declaration would be : acl password_group external ldap_group netgroup Then LDAP will search an object named : "cn=netgroup,ou=groups,dc=mydomain,dc=com" with an attribute "member=%LOGIN" of type "posixGroup". Look at the thread : http://www.mail-archive.com/squid-users@xxxxxxxxxxxxxxx/msg33711.html Regards. Ghislain Garçon.
