On Mon, 1 Feb 2010 12:53:16 +0000, "Joseph L. Casale" <jcasale@xxxxxxxxxxxxxxxxx> wrote: >>Perhapse the fact that Kerberos works with anonymous binary blobs? no >>username in sight. > > You have to pardon me, I am not familiar enough with the inner workings > of Kerberos to understand what a binary blob is wrt to Kerberos:) > >>Or if not that, something in the elided section "<...>". > > I omitted it as it worked from the cli, but possibly something in the > syntax when used in the conf file is wrong (wrapped intentionally here)? > > external_acl_type ldapgroup %LOGIN /usr/lib64/squid/squid_ldap_group -R > -b "DC=domain,DC=local" -D "CN=LDAP,CN=Users,DC=domain,DC=local" > -w "password" -f "(&(objectclass=person)(sAMAccountName=%v) > (memberof=cn=%a,CN=Users,DC=domain,DC=local))" -h 10.0.0.2 > >>The bare http_access logic is fine but assumes the LDAP group helper can >>handle what Kerberos uses for a username. > > Is there a way to show what the helper is doing in the log file? http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_ldap_group Looks like the -d debug option. Amos
