Search squid archive

Re: squid_ldap_group

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In case somebody is interested, indeed changing the query made it work. Now username/password in the browser works fine and users are correctly authenticated

Thanks

Gonzalo 
 
>>> Gonzalo Morera 31/1/2011 11:24 AM >>> 
  I've found an old post taking about edirectory, so i modified the query like that:

usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=cn=%g,o=laboratorio))" -h 192.168.0.205 -p 389

and now just entering username groupname shows OK.

So it looks like on the ldap filter, for the groupname i had to specify manually the context where it is, even if it is under the search base.

Now i have to test it on the browser login page.

Thanks

Gonzalo
 
>>> "Gonzalo Morera" <gmorera@xxxxxxxxxx> 31/1/2011 10:32 AM >>> 
I saw now that if i enter the query on the bash:

usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389

when cursor blinks i enter:

username group

Then i've got squid_ldap_group Warning, ldap search error "invalid dn syntax"

So it looked like the query sent is incorrect. But if i enter:

username cn=groupname,o=context

Then i';ve got Connected OK and groupfilter OK

So it looks like this is my issue, the query sent is incorrect. From bash i can easily modify it and add cn=group,o=context to perform the search but how can i apply that to the acl? here im lost.

Thanks a lot

Gonzalo
 
>>> "Gonzalo Morera" <gmorera@xxxxxxxxxx> 31/1/2011 09:45 AM >>> 
Hi all

After getting familiar with the squid_ldap_auth, i'm still having some issues with squid_ldpa_groups.
I'm getting familiar with squid acl ( i've been working last years with novell bordermanager what is quiet different) and i can not make it work
I've got two groups, internet_r and internet_nr.

I'm using a pl file to allows users with the novell client installed, transparently access internet. That works fine as the pl scrip gets the network ip address of the client. But, with no novell client install, the default ldap_auth method has to be used, so users get a log in page to enter name and password. After done it, same page appears and after 3 times and access denied is seen. No matter if i use a user on group internet_r (with access) or internet _nr ( no access) the results are the same. THe login page keeps returning till the access denied. so i'm doing something wrong with squid_ldap_group and acl.
Looking at lan traces, i saw nothing and access.log file showed no errors, only the url user wanted to go. Var/log/message showed as well no indication of any error. So how can i see in more details what is happening?

This is my squid.conf

#Recommended minimum configuration:

auth_param basic program /usr/sbin/squid_ldap_auth -Z -D cn=squid,o=laboratorio -w novell -b o=laboratorio -s sub -f "(&(objectclass=User)(cn=%s))" -h 192.168.0.205 -p 389 
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off


#Default:
# none
#external_acl_type directory_group %LOGIN /usr/sbin/squid_ldap_group -R -b "ou=servicios,o=laboratorio" -D "cn=admin,o=laboratorio" -w "synergy" -f (&(objectClass=person)(uid=%v)(groupMembership=cn=%a,ou=servicios,o=laboratorio))" -h 192.168.0.205 -p 389
#
external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl
#
#este vale external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -R -b "o=laboratorio" -D "cn=squid,o=laboratorio" -w "novell" -f (&(objectClass=inetOrgPerson)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389

external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389

Message looks good when loading:

Jan 27 12:26:59 oes2sp1 squid[11312]: Squid Parent: child process 11314 started
Jan 27 12:26:59 oes2sp1 squid[11314]: Starting Squid Cache version 2.5.STABLE12 for i686-pc-linux-gnu...
Jan 27 12:26:59 oes2sp1 squid[11314]: Process ID 11314
Jan 27 12:26:59 oes2sp1 squid[11314]: With 4096 file descriptors available
Jan 27 12:26:59 oes2sp1 squid[11314]: DNS Socket created at 0.0.0.0, port 32788, FD 6
Jan 27 12:26:59 oes2sp1 squid[11314]: Adding nameserver 192.168.0.26 from /etc/resolv.conf
Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 8 'squidGuard' processes
Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_auth' processes
Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_edir_iplookup.pl' processes
Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_group' processes
Jan 27 12:27:00 oes2sp1 squid[11314]: User-Agent logging is disabled.
Jan 27 12:27:00 oes2sp1 squid[11314]: Referer logging is disabled.
Jan 27 12:27:01 oes2sp1 squid[11314]: Unlinkd pipe opened on FD 34
Jan 27 12:27:01 oes2sp1 squid[11314]: Swap maxSize 1048576 KB, estimated 80659 objects
Jan 27 12:27:01 oes2sp1 squid[11314]: Target number of buckets: 4032
Jan 27 12:27:01 oes2sp1 squid[11314]: Using 8192 Store buckets
Jan 27 12:27:01 oes2sp1 squid[11314]: Max Mem  size: 102400 KB
Jan 27 12:27:01 oes2sp1 squid[11314]: Max Swap size: 1048576 KB
Jan 27 12:27:01 oes2sp1 squid[11314]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
Jan 27 12:27:01 oes2sp1 squid[11314]: Rebuilding storage in /var/cache/squid (DIRTY)
Jan 27 12:27:01 oes2sp1 squid[11314]: Using Least Load store dir selection
Jan 27 12:27:01 oes2sp1 squid[11314]: Set Current Directory to /var/cache/squid
Jan 27 12:27:01 oes2sp1 squid[11314]: Loaded Icons.
Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting HTTP connections at 0.0.0.0, port 3128, FD 36.
Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting ICP messages at 0.0.0.0, port 3130, FD 37.
Jan 27 12:27:01 oes2sp1 squid[11314]: HTCP Disabled.
Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting SNMP messages on port 3401, FD 38.
Jan 27 12:27:01 oes2sp1 squid[11314]: WCCP Disabled.
Jan 27 12:27:02 oes2sp1 squid[11314]: Ready to serve requests.
Jan 27 12:27:02 oes2sp1 squid[11314]: Done reading /var/cache/squid swaplog (1864 entries)
Jan 27 12:27:02 oes2sp1 squid[11314]: Finished rebuilding storage from disk.
Jan 27 12:27:02 oes2sp1 squid[11314]:      1864 Entries scanned
Jan 27 12:27:02 oes2sp1 squid[11314]:         0 Invalid entries.
Jan 27 12:27:02 oes2sp1 squid[11314]:         0 With invalid flags.
Jan 27 12:27:02 oes2sp1 squid[11314]:      1864 Objects loaded.
Jan 27 12:27:02 oes2sp1 squid[11314]:         0 Objects expired.
Jan 27 12:27:02 oes2sp1 squid[11314]:         0 Objects cancelled.
Jan 27 12:27:02 oes2sp1 squid[11314]:         0 Duplicate URLs purged.
Jan 27 12:27:02 oes2sp1 squid[11314]:         0 Swapfile clashes avoided.
Jan 27 12:27:02 oes2sp1 squid[11314]:   Took 1.7 seconds (1096.5 objects/sec).
Jan 27 12:27:02 oes2sp1 squid[11314]: Beginning Validation Procedure
Jan 27 12:27:02 oes2sp1 squid[11314]:   Completed Validation Procedure
Jan 27 12:27:02 oes2sp1 squid[11314]:   Validated 1864 Entries
Jan 27 12:27:02 oes2sp1 squid[11314]:   store_swap_size = 27684k
Jan 27 12:27:03 oes2sp1 squid[11314]: storeLateRelease: released 0 objects

Thanks a lot


gonzalo






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux