Hi Mike, you have to connect to the LDAP server on port 3268 instead of the default port 389 (-h) and change the basedn where to search for the accounts (-b) to "dc=domain,dc=com". It should look like: auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=domain,dc=com" -D "cn=-LDAP-Read Account,ou=Users,dc=a,dc=domain,dc=com" -w bindpassword -f sAMAccountName=%s -h 1.2.3.4:3268 instead of auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "ou=Company Users,dc=a,dc=domain,dc=com" -D COMPANY\\binduser -w bindpassword -f sAMAccountName=%s -h 1.2.3.4 It will/should find any user in any container of the domains. The trusts are needed as well, but you already told that they are configured. The different syntax for the binddn (-D) should not be relevant. Best regards, Martin Mike Barnard <mike.barnardq@xxxxxxxxx> 13.01.2010 07:14 An Tom Tux <tomtux80@xxxxxxxxx>, squid-users@xxxxxxxxxxxxxxx Kopie Thema Re: proxy auth using AD forgot to cc the list... Hi > Perhaps you can use a domain-trust between a.domain.com and b.domain.com? > There is a trust between the two domains, but the OU structure is different. a.domain.com has OU=Sections OU=Department OU=Office Location OU=Organisation Name and the users in the different sections. b.domain.com has OU=Users OU=Groups If I were to query the AD that is master for a.domain.com, I will not get any results about anyone in b.domain.com since the structure is different. At the moment, a.domain.com trusts b.domain.com. Unless I am missing something here, if the OU structure differs, even if there is a trust, getting a user on b.domain.com will need a query different from a.domain.com. -- Mike Of course, you might discount this possibility, but remember that one in a million chances happen 99% of the time. ------------------------------------------------------------