>I´ve added the following to squid.conf: > >external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b "CN=Users,DC=heidelberg,DC=bw-online,DC=de" -f "(&(cn=%g)(memberUid=%u)(objectClass=ebay))" -B "CN=Users" -F "(CN=%s)" -D >"CN=ldap,CN=Users,DC=heidelberg,DC=bw-online,DC=de" -w "PASSWORD" -h dc2.heidelberg.bw-online.de -v 3 -K > >ebay ist he group that contains the users which should be allowed, this group is in the container Users. The user to read the AD is ldap, also located in the container Users. > >I´ve the deleted the acl and the http_access for the authenticated users with kerberos and added the following: > >acl ldapgroup-access external ldapgroup @HEIDELBERG.BW-ONLINE.DE That's wrong, according to you, ebay is the group? xternal_acl_type ldapgroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "DC=domain,DC=local" -D "CN=LDAP,OU=Service Accounts,OU=Some OU,DC=domain,DC=local" -W /etc/squid/squid_ldap_group_secret -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Some OU,OU=Another OU,DC=domain,DC=local))" -h 192.168.0.2 -d -K acl ldapgroup-access external ldapgroup ebay That's how I do it. >http_access allow all ldapgroup-access > >But now, event members oft he ebay-group get a denied. Can anyone see my mistake ? Probably finish that with: http_access deny !<auth acl name> http_access allow ldapgroup <auth acl name> all You can also run that external_acl_type from the cli and enter user/group pairs separated by a space and see the results. Also adding a -d will show what was sent as a query to the ldap server ni your cache log. Hth, jlc
