No, it does not work without an ou-part (what I had tried before): /usr/local/squid/libexec/squid_ldap_auth \ -h ldapserver \ -D "cn=adminaccount,ou=Service Accounts,ou=_SiteMgmt,ou=BNN,ou=DE,dc=emea,dc=company,dc=com" \ -w "topsecret" \ -b "dc=emea,dc=company,dc=com" \ -f sAMAccountName=%s gives the error message squid_ldap_auth: WARNING, LDAP search error 'Operations error' ERR Success Any ideas? Werner Rost >>> squid_ldap_auth (of Squid 2.5 Stable 12) works fine with >>this script: >>> >>> /usr/local/squid/libexec/squid_ldap_auth \ >>> -h ldapserver \ >>> -D "cn=adminaccount,ou=Service >>Accounts,ou=_SiteMgmt,ou=BNN,ou=DE,dc=emea,dc=company,dc=com" \ >>> -w "topsecret" \ >>> -b "ou=DE,dc=emea,company,dc=com" \ >>> -f sAMAccountName=%s >>> >>> But our AD structure looks like: >>> >>> emea.company.com >>> CH >>> CZ >>> DE >>> DK >>> ES >>> ... >>> >>> >>> The script above should say "OK" if the user is valid in ou=DE or >>> ou=CH or ou=CZ or ... >>> >>> I guess I need an intelligent filter "-f" to do this. Any ideas? >> >> >>Should work by just moving up the base DN to >>"dc=emea,dc=company,dc=com". This will search in all the ou:s >>in the LDAP tree. >> >>To ensure there is no mistakes I would make the filter a >>little more explicit, only looking for user objects. >>Unfortunately I do not remember the objectClass used in AD >>for normal users... but it will work either way (just that >>without this it is technically possible to log on using a >>workstation account or similar provided you can guess the password..) >> >>Regards >>Henrik >>