In case somebody is interested, indeed changing the query made it work. Now username/password in the browser works fine and users are correctly authenticated Thanks Gonzalo >>> Gonzalo Morera 31/1/2011 11:24 AM >>> I've found an old post taking about edirectory, so i modified the query like that: usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=cn=%g,o=laboratorio))" -h 192.168.0.205 -p 389 and now just entering username groupname shows OK. So it looks like on the ldap filter, for the groupname i had to specify manually the context where it is, even if it is under the search base. Now i have to test it on the browser login page. Thanks Gonzalo >>> "Gonzalo Morera" <gmorera@xxxxxxxxxx> 31/1/2011 10:32 AM >>> I saw now that if i enter the query on the bash: usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 when cursor blinks i enter: username group Then i've got squid_ldap_group Warning, ldap search error "invalid dn syntax" So it looked like the query sent is incorrect. But if i enter: username cn=groupname,o=context Then i';ve got Connected OK and groupfilter OK So it looks like this is my issue, the query sent is incorrect. From bash i can easily modify it and add cn=group,o=context to perform the search but how can i apply that to the acl? here im lost. Thanks a lot Gonzalo >>> "Gonzalo Morera" <gmorera@xxxxxxxxxx> 31/1/2011 09:45 AM >>> Hi all After getting familiar with the squid_ldap_auth, i'm still having some issues with squid_ldpa_groups. I'm getting familiar with squid acl ( i've been working last years with novell bordermanager what is quiet different) and i can not make it work I've got two groups, internet_r and internet_nr. I'm using a pl file to allows users with the novell client installed, transparently access internet. That works fine as the pl scrip gets the network ip address of the client. But, with no novell client install, the default ldap_auth method has to be used, so users get a log in page to enter name and password. After done it, same page appears and after 3 times and access denied is seen. No matter if i use a user on group internet_r (with access) or internet _nr ( no access) the results are the same. THe login page keeps returning till the access denied. so i'm doing something wrong with squid_ldap_group and acl. Looking at lan traces, i saw nothing and access.log file showed no errors, only the url user wanted to go. Var/log/message showed as well no indication of any error. So how can i see in more details what is happening? This is my squid.conf #Recommended minimum configuration: auth_param basic program /usr/sbin/squid_ldap_auth -Z -D cn=squid,o=laboratorio -w novell -b o=laboratorio -s sub -f "(&(objectclass=User)(cn=%s))" -h 192.168.0.205 -p 389 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off #Default: # none #external_acl_type directory_group %LOGIN /usr/sbin/squid_ldap_group -R -b "ou=servicios,o=laboratorio" -D "cn=admin,o=laboratorio" -w "synergy" -f (&(objectClass=person)(uid=%v)(groupMembership=cn=%a,ou=servicios,o=laboratorio))" -h 192.168.0.205 -p 389 # external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl # #este vale external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -R -b "o=laboratorio" -D "cn=squid,o=laboratorio" -w "novell" -f (&(objectClass=inetOrgPerson)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389 Message looks good when loading: Jan 27 12:26:59 oes2sp1 squid[11312]: Squid Parent: child process 11314 started Jan 27 12:26:59 oes2sp1 squid[11314]: Starting Squid Cache version 2.5.STABLE12 for i686-pc-linux-gnu... Jan 27 12:26:59 oes2sp1 squid[11314]: Process ID 11314 Jan 27 12:26:59 oes2sp1 squid[11314]: With 4096 file descriptors available Jan 27 12:26:59 oes2sp1 squid[11314]: DNS Socket created at 0.0.0.0, port 32788, FD 6 Jan 27 12:26:59 oes2sp1 squid[11314]: Adding nameserver 192.168.0.26 from /etc/resolv.conf Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 8 'squidGuard' processes Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_auth' processes Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_edir_iplookup.pl' processes Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_group' processes Jan 27 12:27:00 oes2sp1 squid[11314]: User-Agent logging is disabled. Jan 27 12:27:00 oes2sp1 squid[11314]: Referer logging is disabled. Jan 27 12:27:01 oes2sp1 squid[11314]: Unlinkd pipe opened on FD 34 Jan 27 12:27:01 oes2sp1 squid[11314]: Swap maxSize 1048576 KB, estimated 80659 objects Jan 27 12:27:01 oes2sp1 squid[11314]: Target number of buckets: 4032 Jan 27 12:27:01 oes2sp1 squid[11314]: Using 8192 Store buckets Jan 27 12:27:01 oes2sp1 squid[11314]: Max Mem size: 102400 KB Jan 27 12:27:01 oes2sp1 squid[11314]: Max Swap size: 1048576 KB Jan 27 12:27:01 oes2sp1 squid[11314]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec Jan 27 12:27:01 oes2sp1 squid[11314]: Rebuilding storage in /var/cache/squid (DIRTY) Jan 27 12:27:01 oes2sp1 squid[11314]: Using Least Load store dir selection Jan 27 12:27:01 oes2sp1 squid[11314]: Set Current Directory to /var/cache/squid Jan 27 12:27:01 oes2sp1 squid[11314]: Loaded Icons. Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting HTTP connections at 0.0.0.0, port 3128, FD 36. Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting ICP messages at 0.0.0.0, port 3130, FD 37. Jan 27 12:27:01 oes2sp1 squid[11314]: HTCP Disabled. Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting SNMP messages on port 3401, FD 38. Jan 27 12:27:01 oes2sp1 squid[11314]: WCCP Disabled. Jan 27 12:27:02 oes2sp1 squid[11314]: Ready to serve requests. Jan 27 12:27:02 oes2sp1 squid[11314]: Done reading /var/cache/squid swaplog (1864 entries) Jan 27 12:27:02 oes2sp1 squid[11314]: Finished rebuilding storage from disk. Jan 27 12:27:02 oes2sp1 squid[11314]: 1864 Entries scanned Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Invalid entries. Jan 27 12:27:02 oes2sp1 squid[11314]: 0 With invalid flags. Jan 27 12:27:02 oes2sp1 squid[11314]: 1864 Objects loaded. Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Objects expired. Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Objects cancelled. Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Duplicate URLs purged. Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Swapfile clashes avoided. Jan 27 12:27:02 oes2sp1 squid[11314]: Took 1.7 seconds (1096.5 objects/sec). Jan 27 12:27:02 oes2sp1 squid[11314]: Beginning Validation Procedure Jan 27 12:27:02 oes2sp1 squid[11314]: Completed Validation Procedure Jan 27 12:27:02 oes2sp1 squid[11314]: Validated 1864 Entries Jan 27 12:27:02 oes2sp1 squid[11314]: store_swap_size = 27684k Jan 27 12:27:03 oes2sp1 squid[11314]: storeLateRelease: released 0 objects Thanks a lot gonzalo