Hi Erwann, Sorry I forgot to specify that I have got an http_access rule below which does work, I can authenticate when using only the username and password in AD but not when using domain\username. http_access allow InetAccess Clayton York -----Original Message----- From: Erwann PENCREACH [mailto:erwann.pencreach@xxxxxxxxxxxxxx] Sent: Friday, July 10, 2009 1:38 PM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: Help Please : NT Domain name stripping in squid_ldap_group Hi, there is no access rule below You need at least one to grant or deny access for instance this is one of mine : #### external_acl_type loggeduser %DST %SRC /squid_script_path/loggeduser_acl.sh acl isok external loggeduser http_access allow isok ### where /squid_script_path/loggeduser_acl.sh get uid of the user logged on %SRC (ask samba to tell), check acces type to the internet defined in a ldap directory then return OK or KO depending on the url and the effective rights Clayton York a écrit : > Hi All, > > > I am a newbie to Linux and squid and require some assistance please. > > I am running a server on CENTOS release 5.2 (Final), and have configured squid (2.6.STABLE21-3) for ldap group authentication with Active Directory. > I have seen in the man page for the squid_ldap_group there is an -S option to strip the NT domain name from the username. I have added the -S to our squid.conf file, squid_ldap_group section however this does not seem to strip the domain name as from the access.log file I can see that squid still passes the domain\username through to AD which then fails. > > Please find my squid authentication configuration below. > > auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=domnet,dc=bbd,dc=co,dc=za" -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w "password" -f sAMAccountName=%s -h 10.3.1.216 > auth_param basic children 5 > auth_param basic realm Your Organisation Name > auth_param basic credentialsttl 1 hour > > > external_acl_type InetGroup ttl=60 %LOGIN > /usr/lib64/squid/squid_ldap_group -R -b "dc=domnet,dc=bbd,dc=co,dc=za" > -D "cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za" -w > "password" -f "(&(objectclass=person)(sAMAccountName=%v) > (memberof=cn=%a,ou=SquidUsers,dc=bbdnet,dc=bbd,dc=co,dc=za))" -S -h > 10.3.1.216 > > > acl InetAccess external InetGroup SquidUsersAllow > > > Please if anyone has any insight into what I might be missing please let me know. > > > Thank you, > > Clayton York > -- > Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. > Contactez votre administrateur pour plus de renseignement. > postmaster@xxxxxxxxxxxxxx -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmaster@xxxxxxxxxxxxxx
