Hello. I just solved myself this problem. It was my mistake with the filters. Here’s how it goes : /usr/lib64/squid/ext_ldap_group_acl -R -b "dc=my,dc=domain" -D "squid@my.domain" -W /etc/squid/ldappass.txt -f "(&(sAMAccountName=%u)(memberof:1.2.840.113556.1.4.1941:=CN=%g,DC=my,dc=domain)(objectClass=user))" -h mydc.my.domain That ‘:1.2.840.113556.1.4.1941:’ will cause a recursive lookup until it finds a user. Useful when the user is not directly member of that group, but is member of a group that is member of that group. Best regards. Robi Da: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> Per conto di Roberto Nunnari Hello. I’m setting up squid on a CentOS 8 server. Authentication against active directory works well with basic_ldap_auth, but I fail when trying to check that a user belongs to a group. It seems to me that for ext_ldap_group_acl it’s enough that both the user and the group exist and it returns OK. It returns ERR when it cannot find the group or the user. To make it more clear, here are the queries and results I get. user1.test exists and is a member of group My_Group user2.test exists and is NOT a member of group My_Group Group asdf does NOT exist So, I expect that when asking for - user1.test My_Group >> OK - user2.test My_Group >> ERR But I get: - user1.test My_Group >> OK - user2.test My_Group >> OK Here it is: # /usr/lib64/squid/ext_ldap_group_acl -d -R -b "dc=my,dc=domain" -D "squid@my.domain" -W /etc/squid/ldappass.txt -F "(sAMAccountName=%s)" -f "(memberof=CN=%g,DC=my,DC=domain)" -h sv-102-dc.my.domain user1.test asdf ext_ldap_group_acl.cc(589): pid=194302 :Connected OK ext_ldap_group_acl.cc(772): pid=194302 :user filter '(sAMAccountName=user1.test)', searchbase 'dc=my,dc=domain' ext_ldap_group_acl.cc(736): pid=194302 :group filter '(memberof=CN=asdf,DC=my,DC=domain)', searchbase 'dc=my,dc=domain' ERR user1.test My_Group ext_ldap_group_acl.cc(589): pid=194302 :Connected OK ext_ldap_group_acl.cc(772): pid=194302 :user filter '(sAMAccountName=user1.test)', searchbase 'dc=my,dc=domain' ext_ldap_group_acl.cc(736): pid=194302 :group filter '(memberof=CN=My_Group, DC=my,DC=domain)', searchbase 'dc=my,DC=domain' OK user2.test My_Group ext_ldap_group_acl.cc(589): pid=194302 :Connected OK ext_ldap_group_acl.cc(772): pid=194302 :user filter '(sAMAccountName=user2.test)', searchbase 'dc=my,dc=domain' ext_ldap_group_acl.cc(736): pid=194302 :group filter '(memberof=CN=My_Group, DC=my,DC=domain)', searchbase 'dc=my,DC=domain' OK My env: # uname -rms Linux 4.18.0-193.14.2.el8_2.x86_64 x86_64 # rpm -qa | grep squid squid-4.4-8.module_el8.2.0+319+d18e041f.1.x86_64 Could any kind soul help me out? Thank you and best regards. Robi |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
