You still have not answered my question on what your LDAP group objects
look like.
For squid_ldap_group to work you must be able to construct a search
filter based on the group name and the users login. squid_ldap_group
uses this search filter to determine if the user is member of a group
matching the set criterias.
The command line tool ldapsearch (part of OpenLDAP) is a good tool for
experimenting with various LDAP Search filters.
Regards
Henrik
tor 2002-11-07 klockan 19.01 skrev ROUTIER Gilles:
> Thank you still Henrik,
>
> The authentification is well made because if I make a mistake about password, he asks me for a
> piece of news to authenticate me.
> On the other hand if the authentification is good, it sends back me " Acces Denied ".
>
> My Squid.conf
> auth_param basic program /usr/lib/squid/squid_ldap_auth -u uid -b
> ou=public,ou=cicoa,o=cnamts,c=fr -h hermes1.cicoa.cnamts.fr -p 389
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web serveruth_param basic program
> auth_param basic credentialsttl 2 hours
>
> external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b
> "ou=public,ou=cicoa,o=cnamts,c=fr" -f "(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))"
> -h hermes1.cicoa.cnamts.fr -p 389
>
> acl group_Internet external ldapgroup GR-I-CICOA
> http_access allow group_Internet
> http_access deny all
>
> My Acces.log
> 1036690720.508 355 55.7.6.13 TCP_DENIED/407 1922 GET http://55.5.20.100/ sdfsdf NONE/-
> text/html
> 1036690727.644 801 55.7.6.13 TCP_DENIED/403 1466 GET http://55.5.20.100/ routier-00138
> NONE/- text/html
>
> Henrik Nordstrom a écrit :
>
> > And why are you using group_ldap_auth? group_ldap_auth is not a
> > external_cl helper, it is a helper to the "LDAP Group auth patch".
> >
> > The external_acl LDAP group helper is squid_ldap_group
> >
> > Regarding the group name: The best way to supply group names to
> > squid_ldap_group is via the acl definition.
> >
> > external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b
> > "ou=public,ou=cicoa,o=cnamts,c=fr" -f
> > (&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))" -h
> > hermes1.cicoa.cnamts.fr
> >
> > acl group_Internet ldapgroup Internet
> >
> > But to tell if the filter is correct you need to look at how your Group
> > LDAP objects is constructed. This is best done with the ldapsearch
> > command.
> >
> > Regards
> > Henrik
> >
> > tor 2002-11-07 klockan 16.16 skrev ROUTIER Gilles:
> > > Thanks Henrik.
> > >
> > > My browser asks me indeed for the authentification, but he sends back me "access denied"
> > > while I make left well the Internet group.
> > >
> > > A question Henrik :
> > > Where i define the name of the group in which to do the searchresearch ?
> > > I want that only the users belonging to the internet group have access to the proxy.
> > >
> > > My squid.conf
> > > auth_param basic program /usr/lib/squid/squid_ldap_auth -u uid -b
> > > ou=public,ou=cicoa,o=cnamts,c=fr -h hermes1.cicoa.cnamts.fr -p 389
> > > auth_param basic children 5
> > > auth_param basic realm Squid proxy-caching web serveruth_param basic program
> > > auth_param basic credentialsttl 2 hours
> > >
> > > external_acl_type ldapou %LOGIN /usr/lib/squid/group_ldap_auth -b
> > > "ou=public,ou=cicoa,o=cnamts,c=fr" -f
> > > "(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))" -h hermes1.cicoa.cnamts.fr -p 389
> > >
> > > acl ou_Testing external ldapou GR-I-CICOA
> > > http_access allow ou_Testing
> > > http_access deny all
> > >
> > > INFO : The really name of the group in my LDAP DB is GR-I-CICOA
> > >
> > > THANKS FOR ALL HENRIK !
> > >
> > > Henrik Nordstrom a écrit :
> > >
> > > > tor 2002-11-07 klockan 14.39 skrev ROUTIER Gilles:
> > > >
> > > > > I would like tu use group_ldap_auth
> > > > > I have a group which names INTERNET, and I would want that only the persons of this
> > > > > group can reach Proxy.
> > > > > But, I do not know or to specify the name of the group ?
> > > > > You can say to me if the syntax is correct?
> > > >
> > > > It depends on what your LDAP group objects looks like.
> > > >
> > > > > external_acl_type ldapou %LOGIN /usr/lib/squid/group_ldap_auth -b
> > > > > "ou=public,ou=cicoa,o=cnamts,c=fr" -f "(&(cn=INTERNET)(uid=%v)(ou=%a))" -h
> > > > > hermes1.cicoa.cnamts.fr -p 389
> > > >
> > > > Your filter does not look right. "(&(cn=%v)(uid=%v))" might work, but
> > > > more likely the group filter you are after looks something like
> > > > "(&(cn=%v)(member=uid=%d,*)(objectClass=groupOfNames))".
> > > >
> > > > What is the output of
> > > >
> > > > ldapsearch -x -b "ou=public,ou=cicoa,o=cnamts,c=fr" cn=INTERNET
> > > >
> > > > Regards
> > > > Henrik Nordström
> > > > MARA Systems AB, Sweden
Received on Thu Nov 07 2002 - 11:35:43 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:13 MST