I performed additional testing using different helpers but nothing changed, so decided to use alternative tools to bind AD. I used the tool ldapsearch to verify that at least is possible to do a search on Active Directory and it worked (it read all AD returning 271 objects). /usr/bin/ldapsearch -x -h domcon.kidanemehret.local -D squid@kidanemehret.local -W -b "dc=kidanemehret,dc=local" -s sub "(cn=*)" cn mail sn Enter LDAP Password # extended LDIF # # LDAPv3 # base <dc=kidanemehret,dc=local> with scope subtree # filter: (cn=*)/ ... ... ... I then run the query again using ext_ldap_group_acl and when asking to check if a user (test-full) is member of the AD group Internet_Users_Full if returns ERR instead then OK. /usr/lib/squid3/ext_ldap_group_acl -R -K -b "OU=Service Accounts,OU=USR,DC=kidanemehret,DC=local" -D squid@kidamemehret.local -w mypassword -f "(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=Internet_Users_Full,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" -h domcon.kidanemehret.local -d test-full ERR Of course test-full is is member of Internet_Users_Full and che cn of the group is correct (verified in AD). Additional strange thing (at least to me...) is that I may also use a wrong password in the option -w and the result is the same: it's not returining an authentication failure, just returnint ERR just like the user is not in the group. Note that I'm using the same account used in LDAPSEARCH to perform the search. Any hints? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working-tp4675816p4675880.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
