Search squid archive

Re: Help Please : NT Domain name stripping in squid_ldap_group

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

there is no access rule below

You need at least one to grant or deny access

for instance this is one of mine :

####
external_acl_type loggeduser %DST %SRC /squid_script_path/loggeduser_acl.sh

acl isok external loggeduser

http_access allow isok
###

where /squid_script_path/loggeduser_acl.sh
get uid of the user logged on %SRC (ask samba to tell), check acces type to the internet defined in a ldap directory 

then return OK or KO depending on the url and the effective rights

Clayton York a écrit :

Hi All,


I am a newbie to Linux and squid and require some assistance please.

I am running a server on CENTOS release 5.2 (Final), and have configured squid (2.6.STABLE21-3) for ldap group authentication with Active Directory.
I have seen in the man page for the squid_ldap_group there is an -S option to strip the NT domain name from the username. I have added the -S to our squid.conf file, squid_ldap_group section however this does not seem to strip the domain name as from the access.log file I can see that squid still passes the domain\username through to AD which then fails.

Please find my squid authentication configuration below.

auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=domnet,dc=bbd,dc=co,dc=za" -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f sAMAccountName=%s -h 10.3.1.216
   auth_param basic children 5
   auth_param basic realm Your Organisation Name
   auth_param basic credentialsttl 1 hour


external_acl_type InetGroup ttl=60 %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "dc=domnet,dc=bbd,dc=co,dc=za" -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,ou=SquidUsers,dc=bbdnet,dc=bbd,dc=co,dc=za))" -S -h 10.3.1.216


acl InetAccess external InetGroup SquidUsersAllow


Please if anyone has any insight into what I might be missing please let me know.


Thank you,

Clayton York
--
Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour.
Contactez votre administrateur pour plus de renseignement.
postmaster@xxxxxxxxxxxxxx



--
Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour.
Contactez votre administrateur pour plus de renseignement.
postmaster@xxxxxxxxxxxxxx


begin:vcard
fn:Erwann Pencreach
n:Pencreach;Erwann
org:Centre Hospitalier de Chaumont;Service Informatique
adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000
email;internet:erwann.pencreach@xxxxxxxxxxxxxx
title:Technicien Informatique
tel;work:0325357321
tel;fax:0325030674
x-mozilla-html:FALSE
version:2.1
end:vcard
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux