Re: [squid-users] Squid_ldap_auth multiple groups

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 10 Aug 2004 09:20:28 +0200 (CEST)

On Tue, 10 Aug 2004, Stefan Thomas wrote:

> /usr/local/squid/libexec/squid_ldap_auth -b "" -D "cn=name,o=name" -w
> passwd -h ip-adr -f
> (&(&(cn=%s)(objectClass=person))(groupMembership=cn=Internet,ou=name,ou=
> name,o=name))
>
> This works very well. No I have a new challenge to solve. I want to
> check is the authorised user in the group "internet" OR "marketing" OR
> "normal" OR ...
>
> He should be in one !! of these groups, not in all !

See RFC2254

& is AND
| is OR

(&(cn=%s)(objectClass=person)(|(groupMembership=cn=Internet,ou=name,ou=name,o=name)(groupMembership=cn=Marketing,ou...)(groupMembership=cn=Normal,ou..)(...)))

But personally I would make the setup as follows

   1. One single group which determines if the user should at all be
allowed to use the Internet, if not all users should be allowed. This is
optional.

   2. A number of groups verified by squid_ldap_group for giving different
levels of access to the Internet.

Regards
Henrik
Received on Tue Aug 10 2004 - 01:20:31 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT