> > Greetings, > > Have a bit of a problem trying to get Squid authentication working against > a Lotus Domino LDAP directory. The actual authentication part is OK, if I > want everyone in my Domino directory to have access through Squid it is > not a problem, the real issue arises when I try to filter it based on > group membership. > > I have been through all the past mailing list articles in regards to this > topic, and I've tried a whole bunch of different things, and I'm not > having any luck (my LDAP skills are weak) > > Taking a step back, what I'm actually trying to acheive here is single > sign on between IBM Websphere Portal 6.0 and Squid (2.5.STABLE3), so that Step 1) upgrade your squid to latest release. 2.5 is way obsolete. > after my users sign on to Portal, they are not prompted for their internet > password when they try to visit external sites linked from the portal. > Websphere is already using the Domino LDAP for user authentication, so I > figured that getting the 2 apps authenticating from the same place is a > good start. > > Please find below the relevent pieces of my current squid.conf, if anyone > could shed any light as to what I'm doing incorrectly here, it would be > greatly appreciated. > > > -------------------------------------- > > # TAG: auth_param > > auth_param basic program /usr/lib/squid/squid_ldap_auth -b "" -f uid=%s > xx.xx.xx.xx > -------------------------------------- > # TAG: external_acl_type > > external_acl_type inetusers %LOGIN /usr/lib/squid/squid_ldap_group -b "" > -f "(&(cn=%g)(objectClass=groupOfNames)(member=%u))" -F > "(&(uid=%s)(objectClass=Person))" xx.xx.xx.xx > -------------------------------------- > # TAG: acl > > acl ldap_password proxy_auth required > acl inet_users external inetusers ProxyUsers > -------------------------------------- > # TAG: http_access > > http_access allow inet_users > http_access allow localhost > http_access deny all > -------------------------------------- > > I hope that this is enough information to show what it is that I am doing, > I'm pretty sure those are all the relevent bits. Note that without the > external ACL, the authentication works perfectly. I would like to restrict > access to members of the LDAP group "ProxyUsers". > > I look forward to any assistance. > > Regards, > > Chris Mitchell > > >
