> > Happy to do it if it'll make this exercise easier, any particular reason > why ? I already mentioned 2.5 being obsolete. Support, Security, Speed, Stability, Simplicity for a few more. - Most of the people you will find providing support do so for 2.6/3.0 now. - There are large known security holes in 2.5 and early 2.6's. - There has been a lot more work done on bugfixing, speed, memory, and disk usage optimisations across the 2.6 lifecycle. - The 2.6 has also had a fair bit of work done making the squid.conf more usable. And the official config examples are now only provided in 2.6/3.0. Though its not entirely there yet. Making the later 2.6 squid a better proposition than 2.5. Amos > > Regards, > > Chris Mitchell > > On Fri, 30 Nov 2007, Amos Jeffries wrote: > >>> >>> Greetings, >>> >>> Have a bit of a problem trying to get Squid authentication working >>> against >>> a Lotus Domino LDAP directory. The actual authentication part is OK, if >>> I >>> want everyone in my Domino directory to have access through Squid it is >>> not a problem, the real issue arises when I try to filter it based on >>> group membership. >>> >>> I have been through all the past mailing list articles in regards to >>> this >>> topic, and I've tried a whole bunch of different things, and I'm not >>> having any luck (my LDAP skills are weak) >>> >>> Taking a step back, what I'm actually trying to acheive here is single >>> sign on between IBM Websphere Portal 6.0 and Squid (2.5.STABLE3), so >>> that >> >> Step 1) upgrade your squid to latest release. 2.5 is way obsolete. >> >>> after my users sign on to Portal, they are not prompted for their >>> internet >>> password when they try to visit external sites linked from the portal. >>> Websphere is already using the Domino LDAP for user authentication, so >>> I >>> figured that getting the 2 apps authenticating from the same place is a >>> good start. >>> >>> Please find below the relevent pieces of my current squid.conf, if >>> anyone >>> could shed any light as to what I'm doing incorrectly here, it would be >>> greatly appreciated. >>> >>> >>> -------------------------------------- >>> >>> # TAG: auth_param >>> >>> auth_param basic program /usr/lib/squid/squid_ldap_auth -b "" -f uid=%s >>> xx.xx.xx.xx >>> -------------------------------------- >>> # TAG: external_acl_type >>> >>> external_acl_type inetusers %LOGIN /usr/lib/squid/squid_ldap_group -b >>> "" >>> -f "(&(cn=%g)(objectClass=groupOfNames)(member=%u))" -F >>> "(&(uid=%s)(objectClass=Person))" xx.xx.xx.xx >>> -------------------------------------- >>> # TAG: acl >>> >>> acl ldap_password proxy_auth required >>> acl inet_users external inetusers ProxyUsers >>> -------------------------------------- >>> # TAG: http_access >>> >>> http_access allow inet_users >>> http_access allow localhost >>> http_access deny all >>> -------------------------------------- >>> >>> I hope that this is enough information to show what it is that I am >>> doing, >>> I'm pretty sure those are all the relevent bits. Note that without the >>> external ACL, the authentication works perfectly. I would like to >>> restrict >>> access to members of the LDAP group "ProxyUsers". >>> >>> I look forward to any assistance. >>> >>> Regards, >>> >>> Chris Mitchell >>> >>> >>> >> >> >
