LDAP search filter for FreeIPA

Djerk Geurts <djerkg@xxxxxxxxx> · Wed, 5 Oct 2022 14:29:44 +0100

Hi,

I’ve got DLAP auth working against FreeIPA, but now I’m trying to get LDAP group all controls working. Initially I used the local unix group filter, which works great as the machine running Squid is able to query group membership through pam. But then I found that nested group membership didn’t work. So now I’m trying to query group membership via LDAP and failing miserably.

My config:

auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b "cn=users,cn=accounts,dc=DOMAIN,dc=COM" -D "uid=squid-ldap,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM" -W "/etc/squid/squid-ldap.cred" -u uid -H LDAPS://ipa.domain.com:636
[…]

external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -v 3 -b "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" -D "uid=squid-ldap,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM" -W "/etc/squid/squid-ldap.cred" -f "(&(cn=%g)(member=uid=%u))" -H LDAPS://ipa.domain.com:636

This ldap search works fine:
user@ipa:~$ ldapsearch -x -D 'cn=Directory Manager' -W -b "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" '(&(cn=proxy)(member=uid=user,*))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=accounts,dc=DOMAIN,dc=COM> with scope subtree
# filter: (&(cn=proxy)(member=uid=user,*))
# requesting: ALL
#

# proxy, groups, accounts, ipnexia.com
dn: cn=proxy,cn=groups,cn=accounts,dc=ipnexia,dc=com
member: uid=user,cn=users,cn=accounts,dc=ipnexia,dc=com
memberOf: cn=proxyuser,cn=groups,cn=accounts,dc=ipnexia,dc=com
cn: proxy
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: GroupOfUniqueNames
objectClass: posixgroup
ipaUniqueID: ******
gidNumber: ******

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So how am I meant to set the filter of ext_ldap_group_acl? Most FreeIPA and Squid information centers around using Kerberos (and SSO) but the clients I’m dealing with here are not tied to FreeIPA thus Kerberos is not an option.

https://docs.oracle.com/cd/E88353_01/html/E72487/ext-ldap-group-acl-8.html 
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users