On 7/08/2012 12:07 a.m., Eugene M. Zheganin wrote:
Hi.
On 06.08.2012 16:48, Markus Moeller wrote:
Hi Eugene,
How would a squid_group_ldap line look like ? From where would
the group name come from ? I could try to add this feature.
That would be awesome.
squid_group_ldap is expecting to see the username along with the group
name to check the membership in on it's stdin. It looks the same way
your helper works, just with a group name. In the same time, in a
config file you could describe the group directly, or supply a
filename which contains the group name (I prefer a filename, for
example).
My squid.conf prior to using squid_kerb_ldap helper used to look like:
===Cut===
external_acl_type ldap_group ttl=60 negative_ttl=60
children=40 %LOGIN \
/usr/local/libexec/squid/squid_ldap_group \
-b cn=Users,dc=norma,dc=com \
-f
"(&(cn=%g)(member=%u)(objectClass=group))" \
-F "sAMAccountname=%s" \
-D
cn=dca,cn=Users,dc=norma,dc=com \
-W
/usr/local/etc/squid/ad.passwd -h hq-gc.norma.com -v 3 -p 389
acl ad-internet-users external ldap_group
"/usr/local/etc/squid/ad-internet-users.acl"
To clarify: when the squid.conf "acl blah external" line contains a
value, or set of values, or file full of values - like above - after the
helper label. The values are sent as additional space-delimited "words"
appended to the external_acl_type format.
What the above defines is stdin line to the helper which looks like:
<login> <group1> <group2> ...
Markus: you can see an example in the LDAP_group helper code. Look for
rfc1738_unescape(group) in the main while loop.
Amos
