On Tue, 2006-08-01 at 17:46 +0200, Janco van der Merwe wrote: > Under auth_param > auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=dunns,dc=co,dc=za" -w "ldappassword" -f sAMAccountName=%s -h (IP of DC) > > Under External ACL > external_acl_type internetusergroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=dunns,dc=co,dc=za" -w "ldappassword" -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=internetusers,OU=Dunns Groups,OU=Dunns,dc=dunns,dc=co,dc=za))" -h (IP of DC) I would modify it like this: auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=dunns,dc=co,dc=za" -w "ldappassword" -f "(&(objectclass=person)(sAMAccountName=%s))" -h (IP of DC) external_acl_type internetusergroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=dunns,dc=co,dc=za" -D "cn=ldapreader,cn=users,dc=dunns,dc=co,dc=za" -w "ldappassword" -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=%g,OU=Dunns Groups,OU=Dunns,dc=dunns,dc=co,dc=za))" -h (IP of DC) i.e. have the ObjectClass=person in the squid_ldap_auth filter to make sure logins is only possible to person objects, and use the %g for the group name in squid_ldap_group to allow the group name to be specified via the acl (as you also had done...) acl internetgroup external usergroup internetusers the ldappassword acl is not needed, unless you also have http_access rules which should apply to all authenticated users no matter if they are member of the internetusers group or not. Regards Henrik
