problem with squid_ldap_group

CyberSoul <cybersoul@xxxxxxx> · Thu, 26 Jan 2012 10:20:39 +0400

Hello, I need help!
I have problem with 'squid_ldap_group'.

Situation:
There  are  domain  (kng.local) with Active Directory (192.168.4.100),
one  of the group with access to the Internet named as 'internetusers'
and  2 users in it: 'ldapreader' with pass '12345678' & 'testproxyad1'
with the same pass '12345678'. It is necessary to setup & has working a proxy
 server with authorization by groups from Active Directory.

Tries of decision:
With ldapsearch i can see the group, what i need, command is:
ldapsearch  -D  ldapreader@kng.local  -w  12345678 -h 192.168.4.100 -b
"dc=kng,dc=local" -x '(&(objectCategory=group)(cn=internetusers))'

Output to console is:
...
#internetusers, KNG-Services, kng.local
dn: CN=internetusers,OU=KNG-Services,DC=kng,DC=local
objectClass: top
objectClass: group
cn: internetusers
member: CN=ldapreader,OU=KNG-Services,DC=kng,DC=local
member: CN=testproxyad1,OU=KNG-Services,DC=kng,DC=local
distinguishedName: CN=internetusers,OU=KNG-Services,DC=kng,DC=local
name: internetusers
sAMAccountName: internetusers
objectCategory: CN=Group,CN=Schema/CN=Configuration,DC=kng,DC=local
...

Well, command for authorized by users I used is:
/usr/lib/squid/squid_ldap_auth -R -D ldapreader@kng.local -w "12345678" \
-b "dc=kng,dc=local" -f "sAMAccountName=%s" -h 192.168.4.100
and it's work:
ldapreader 12345678
OK
testproxyad1 12345678
OK

But  finaly,  command  for  authorized by group doesn't work (variously
variants I try are):
1) /usr/lib/squid/squid_ldap_group -d -v 3 -b "cn=internetusers,ou=KNG-Services,dc=kng,dc=local" \
-f "(?(objectClass=Group)(cn=%v)(memberUid=%a))"

2) /usr/lib/squid/squid_ldap_group -b "dc=kng,dc=local" -D ldapreader@kng.local -w 12345678 -f \
"(&(objectClass=group)(sAMAccountName=%v)(cn=%a))" -h 192.168.4.100 -d

3) /usr/lib/squid/squid_ldap_group -R -b "dc=kng/dc=local" -D ldapreader@kng.local -w 12345678 -f \
"(&(objectClass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=Users,dc=kng,dc=local))" -h 192.168.4.100

4) /usr/lib/squid/squid_ldap_group -d -v 3 -b "cn=internetusers,ou=KNG-Services,dc=kng,dc=local" -f \
"(&(objectClass=groups)(cn=%a)(memberUid=%v))" -d

5) /usr/lib/squid/squid_ldap_group -R -b "cn=internetusers,ou=KNG-Services,dc=kng,dc=local" -f \
"(&(cn=%a)(objectClass=%g,cn=internetusers,dc=kng,dc=local))" -D ldapreader@kng.local -w 12345678 -h 192.168.4.100

Output to console is the same of all:
Connected OK.
group filter '...' searchbase '...'
ERR

There is no information in the "cache.log" about command 'squid_ldap_group' & I don't know in what direction looking for a solution.
Please, help me to resolve this problem as quick as you can. Dancing with a tambourine around the proxy is not cool=)
I will grateful to all comments & advices.
Thanks.

P.S. Sorry for the large volume of text & bad english.

Best wishes,
     Paul