No, it does not work without an ou-part (what I had tried before):
/usr/local/squid/libexec/squid_ldap_auth \
-h ldapserver \
-D "cn=adminaccount,ou=Service Accounts,ou=_SiteMgmt,ou=BNN,ou=DE,dc=emea,dc=company,dc=com" \
-w "topsecret" \
-b "dc=emea,dc=company,dc=com" \
-f sAMAccountName=%s
gives the error message
squid_ldap_auth: WARNING, LDAP search error 'Operations error'
ERR Success
Any ideas?
Werner Rost
>>> squid_ldap_auth (of Squid 2.5 Stable 12) works fine with
>>this script:
>>>
>>> /usr/local/squid/libexec/squid_ldap_auth \
>>> -h ldapserver \
>>> -D "cn=adminaccount,ou=Service
>>Accounts,ou=_SiteMgmt,ou=BNN,ou=DE,dc=emea,dc=company,dc=com" \
>>> -w "topsecret" \
>>> -b "ou=DE,dc=emea,company,dc=com" \
>>> -f sAMAccountName=%s
>>>
>>> But our AD structure looks like:
>>>
>>> emea.company.com
>>> CH
>>> CZ
>>> DE
>>> DK
>>> ES
>>> ...
>>>
>>>
>>> The script above should say "OK" if the user is valid in ou=DE or
>>> ou=CH or ou=CZ or ...
>>>
>>> I guess I need an intelligent filter "-f" to do this. Any ideas?
>>
>>
>>Should work by just moving up the base DN to
>>"dc=emea,dc=company,dc=com". This will search in all the ou:s
>>in the LDAP tree.
>>
>>To ensure there is no mistakes I would make the filter a
>>little more explicit, only looking for user objects.
>>Unfortunately I do not remember the objectClass used in AD
>>for normal users... but it will work either way (just that
>>without this it is technically possible to log on using a
>>workstation account or similar provided you can guess the password..)
>>
>>Regards
>>Henrik
>>
