Hi there, I've tried this a couple of different ways without any success. I have squid_ldap_group working fine if the user queried is a member of the listed group, but if I try to pick up the user by reference (putting a group containing that user within the effective group), it fails. Users are authenticated via squid_ldap_auth without any trouble. Here's the use case: acl to prevent unauthorized users from accessing the web, adding users to specific groups gives them access to specific websites or the entire Internet. Since we have a few hundred users, adding each one individually to whichever group they need to be in is not practical. Right now, it works fine if I put the acl groups in the Users container or create a top-level OU and put the groups in there, but iff the user is directly a member of the acl group. What I need to do is be able to use nested groups. (Sorry, it looks like I've stated this two different ways) Here's the relevant portion of squid.conf. Our DC is Win2k swerver (for now at least), proxy box is running squid 2.6 on CentOS, but have repeated the problem with squid 3.0 on Debian: Group lookup: external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group \ -b "dc=example,dc=com" \ -D "cn=lookupuser,cn=Users,dc=example,dc=com" \ -w "password" \ -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=WebAccess,dc=ex ample,dc=com))" \ -h ldapserver And one of the ACLs: acl AllWebAccess external InetGroup allweb http_access allow AllWebAccess I'd rather use LDAP for this than winbind for various reasons. Thanks in advance, Mike Ely
