On Wed, 15 Dec 2010 14:06:59 +0100, FranÃois Bastien wrote:
> So, in the end i'll be using Amos settings so i can manage only one
group :
>
> http_access allow ldapgroup-unrestricted
> http_access deny work_unrelated !acl_lunchbreak_time
> http_access allow authenticated
> http_access deny all
>
> I'm currently at the next step : debugging.... And i found something
> quite interesting :
>
> aclMatchExternal: ldapgroup("domain%5Cuser unrestricted") = lookup
needed
> aclMatchAclList: no match, returning 0
> externalAclLookup: lookup in 'ldapgroup' for 'domain%5Cuser
unrestricted'
> externalAclHandleReply: reply="ERR"
>
> So it seems that the username given to the squid_ldap_group helper is
> wrong because of the "%5C".
> Maybe i should strip the domain\ from the username ?
Aha. The line fields are URL-encoded according to RFC 1738 specs. The
helper is supposed to decode. You can drop the domain for a workaround, but
there may be users with special letters or punctuation in their names which
hit this as well (ie the "c" in your first name).
Amos
