Groups in LDAP

Omar M <omar.alva@xxxxxxxxxxxxxxx> · Thu, 18 Jan 2007 15:03:23 -0600

Hello everyone:

I'm newbie using squid and I have my first question in this forum...

I'm  trying to authenticate my users and groups against OpenLDAP...

Explaining:

I have three groups and their users are:

- administrators [adm1,adm2] (they must have not restrictions).
- supervisors [sup1,sup2] (they can't see some web pages).
- users [user1,user2] (they can only browse the web, not msn,yahoo or
similar applications). 

My slapd.conf has:

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
loglevel        256
pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args
backend         bdb
database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=admin,dc=example,dc=com"
rootpw          gohan
directory       /var/example.com
index           objectClass     eq
access to *
        by * read

And my squid.conf has:

...
auth_param basic program /usr/local/squid/libexec/ldap_auth
external_acl_type ldap_group %
LOGIN  /usr/local/squid/libexec/squid_ldap_group  -R -D
"cn=admin,dc=example,dc=com" -w gohan -b "dc=example,dc=com" -f "uid=%v"
-s sub -v 3 -g "ou=%g" 127.0.0.1
...
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl CONNECT method CONNECT
acl users proxy_auth REQUIRED
acl outside external ldap_group users <--- this is one of my groups that
I wanna test
...
http_access allow manager localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow outside
http_access deny all
...

However when I try to connect using a browser I see the dialog window
asking me for username/password with user1/user1 everything is fine, but
if a give different user for example sup1/sup1 (this users is from
supervisors, which isn't allow) it says is correct :S

I have ldap_auth and squid_ldap_group scripts:

ldap_auth:

/usr/local/squid/libexec/squid_ldap_auth -R -D
cn=admin,dc=example,dc=com -w gohan -b dc=example,dc=com -s sub -v 3 -f
"(uid=%s)" -h 127.0.0.1

and squid_ldap_group which is a binary compiled with squid.

I'm doing something wrong, but I don't know what is, Am I missing some
configuration? :S

Could somebody help me please...

-- 
Omar M
omargohan@xxxxxxxxx