Search squid archive

Re: LDAP related question.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Quoting Eliezer Croitoru <eliezer@xxxxxxxxxxxx>:


I wanted to test the ext_ldap_group_acl so I created a ldap domain.
The command I am testing is:
/usr/lib/squid3/ext_ldap_group_acl -b "DC=ngtech,DC=local" -D "CN=admin,DC=ngtech,DC=local" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,DC=ngtech,DC=local))" -h 127.0.0.1
Looks like your command is a bit off. Here's my LDAP one which works (some variant of squid3 -- I only have the config file on my local PC, and no over-the-internet access to this particular proxy, as at work). Please note that I redacted the actual domain name, and replaced it with "example".
external_acl_type ldapgroup %LOGIN /usr/lib/squid3/ext_ldap_group_acl -b "ou=users,dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -W /etc/squid3/pass.in -f (&(objectClass=*)(uid=%u)(memberof=cn=%g,ou=ldapGroups,dc=example,dc=org)) -h ldap.example.org
I was having trouble with the object class myself ... but the LDAP group is small (like 30 people, and nothing else like printers or anything), so having a "too big" objectClass base isn't the end of the world. 

then the acls are pretty simple:

acl ldap-kids external ldapgroup kids
acl ldap-parents external ldapgroup parents

acl allow [...] kids
acl deny kids all <-- not 100% sure this one is necessary, but I'm also not 100% certain how squid reacts to a couple "allow" rules, followed by "allow" rules for a different group, but this seems to work. 

acl allow [...] parents
acl deny ad_sites parents all <-- death to ads ;)

acl deny all
Now I have entered "user1 int" and it should to my understanding reply with OK but it return ERR: 
user1 int
ext_ldap_group_acl.cc(587): pid=27778 :Connected OK
ext_ldap_group_acl.cc(726): pid=27778 :group filter '(&(objectclass=person)(sAMAccountName=user1)(memberof=CN=int,DC=ngtech,DC=local))', searchbase 'DC=ngtech,DC=local' 
ERR


Now the ldap structure is like this:
DC=ngtech, DC=local
-> CN=int
member-->user1
-> OU=users
--> CN=user1
(Not such a great painter.)



I think you're missing an OU in there, my LDAP server is ordered like this:

dc=example,dc=org
|
-> ou=ldapGroups
||
|-> cn=kids
|-> cn=parents
|
-> ou=users
 |
 -> cn=[user1]
 -> cn=[user2]
 -> [...]
How did you create things? I found that using ldif files caused trouble (or at least the ones from the examples I had), whereas just installing phpldapadmin and poking around got me up and running in almost no time flat. 


[snip]

<<attachment: smime.p7s>>

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux