So I finally tried it on my Squid Proxy.
I edited the squid like this:
external_acl_type ad_group_member_check ttl=120 %LOGIN /usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=domain,dc=com" -D ProxyUser@xxxxxxxxxx -W /etc/squid/ldappass.txt -f "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Groups,DC=domain,DC=com))" -h my.domain.com
ProxyUser is a AD-User I created and the file "ldappass.txt" contains the password for this user.
Now I did try to ask for specific groups with the help of this:
acl LDAPLookup1 external ad_group_member_check Test1
Test1 is a group in the AD and part of the OU "Groups".
But now I have the problem, that in the squid cache.log is written:
ext_ldap_group_acl: WARNING: LDAP search error 'Referral'
So it seems like LDAP can not check the groups but I have no clue why.. Can someone help?
Regards,
Philipp
Gesendet: Sonntag, 24. Januar 2021 um 17:02 Uhr
Von: "Marek Greško" <mgresko8@xxxxxxxxx>
An: heimarbeit123.99@xxxxxx
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Betreff: Re: Squid doesn't notice AD group changes
Von: "Marek Greško" <mgresko8@xxxxxxxxx>
An: heimarbeit123.99@xxxxxx
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Betreff: Re: Squid doesn't notice AD group changes
Hello,
that looks correct. Maybe I would add -B option to the
ext_ldap_group_acl helper to specify basedn for users.
Marek
2021-01-24 10:06 GMT+01:00, heimarbeit123.99@xxxxxx <heimarbeit123.99@xxxxxx>:
> Thanks for your replies!
>
> Yes, I did try "external_acl_type wbinfocheck %LOGIN
> /usr/lib/squid/ext_wbinfo_group_acl -K".
>
> So if my fqdn would be "my.domain.com" it would be:
>
> external_acl_type ad_group_member_check ttl=120 %LOGIN
> /usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=domain,dc=com"
> -D 192.168.1.250@xxxxxxxxxx -W /etc/squid/ldappass.txt -f
> "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Groups,DC=domain,DC=com))" -h
> my.domain.com
>
> for 192.168.1.250 being the IP from my Squid Proxy Server, right?
>
> So I could ask for specific groups like this:
> acl Group1 ad_group_member_check TestGroup1
> acl Group2 ad_group_member_check TestGroup2
> and so on.. Am I right?
>
> Thank you so far for your help!
>
> Regads,
> Philipp
>
> --
> Diese Nachricht wurde von meinem Android Mobiltelefon mit WEB.DE Mail
> gesendet.
that looks correct. Maybe I would add -B option to the
ext_ldap_group_acl helper to specify basedn for users.
Marek
2021-01-24 10:06 GMT+01:00, heimarbeit123.99@xxxxxx <heimarbeit123.99@xxxxxx>:
> Thanks for your replies!
>
> Yes, I did try "external_acl_type wbinfocheck %LOGIN
> /usr/lib/squid/ext_wbinfo_group_acl -K".
>
> So if my fqdn would be "my.domain.com" it would be:
>
> external_acl_type ad_group_member_check ttl=120 %LOGIN
> /usr/lib/squid/ext_ldap_group_acl -d -R -K -S -b "dc=domain,dc=com"
> -D 192.168.1.250@xxxxxxxxxx -W /etc/squid/ldappass.txt -f
> "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Groups,DC=domain,DC=com))" -h
> my.domain.com
>
> for 192.168.1.250 being the IP from my Squid Proxy Server, right?
>
> So I could ask for specific groups like this:
> acl Group1 ad_group_member_check TestGroup1
> acl Group2 ad_group_member_check TestGroup2
> and so on.. Am I right?
>
> Thank you so far for your help!
>
> Regads,
> Philipp
>
> --
> Diese Nachricht wurde von meinem Android Mobiltelefon mit WEB.DE Mail
> gesendet.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users