On 6/10/22 02:29, Djerk Geurts wrote:
Hi,
I’ve got DLAP auth working against FreeIPA, but now I’m trying to get
LDAP group all controls working. Initially I used the local unix group
filter, which works great as the machine running Squid is able to query
group membership through pam. But then I found that nested group
membership didn’t work. So now I’m trying to query group membership via
LDAP and failing miserably.
My config:
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b
"cn=users,cn=accounts,dc=DOMAIN,dc=COM" -D
"uid=squid-ldap,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM"
-W "/etc/squid/squid-ldap.cred" -u uid -H LDAPS://ipa.domain.com:636
<ldaps://ipa.domain.com:636>
[…]
To clarify, does the above description mean login with this helper works
fine?
> external_acl_type ldap_group %LOGIN .../ext_ldap_group_acl \
> -v 3 \
FYI: LDAP v3 is the default. You should not need to set this.
> -b "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" \
> -f "(&(cn=%g)(member=uid=%u))" \
> ...
You can add '-d' (lower case) to get a debug trace in cache.log about
what is happening inside the helper.
You can use that to confirm the user/group details are arriving properly
and the filter string is correct before it goes sent to LDAP.
Also, see whether LDAP is having connectivity issues, or search issues,
or something else is going on.
FWIW, the above reads to me like you are looking up the existence of the
group rather than the existence of a specific user within a group. My
LDAP knowledge is weak, so I may be wrong about that.
This ldap search works fine:
user@ipa:~$ ldapsearch -x -D 'cn=Directory Manager' -W -b
"cn=groups,cn=accounts,dc=DOMAIN,dc=COM" '(&(cn=proxy)(member=uid=user,*))'
I notice that there is an extra ',*' after the username in this filter
string which is missing on the helper one.
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=accounts,dc=DOMAIN,dc=COM> with scope subtree
# filter: (&(cn=proxy)(member=uid=user,*))
# requesting: ALL
#
...
So how am I meant to set the filter of ext_ldap_group_acl?
FYI, what the Squid helpers do is replace the %g and %u values and pass
the resulting string as the 'filter' to LDAP.
Meaning that the filter used by Squid should be the same as the
ldapsearch filter would be if you were searching for username "%u" in
group "%g".
Also, be aware that the filter string/pattern should be constructed in a
way that correctly handles non-ASCII characters or whitespace if those
are possible in your credentials and/or group names.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users