Re: [squid-users] Fw: squid_ldap_group config

From: Carissa Srugis <csrugis@dont-contact.us>
Date: Wed, 1 Dec 2004 12:49:25 -0500

I am trying to do a similiar thing. I tried to install
squid_ldap_auth but it keeps failing during make. At first, it could
not findsome of the include files, but I think I fixed that by adding
some simbolic links for each file from the /usr/local/include
directory to the /usr/include directory. These were various ldap
include files. I am using FreeBSD 4.10 if it makes a difference.
After I made those links, the make continued for a while but
ultimately failed with numerous errors of empty declaration and uselss
keyword or type name in empty declaration.

Any ideas?

Thanks!
Carissa

On Wed, 01 Dec 2004 12:39:49 -0500, Matt Benjamin <matt@linuxbox.com> wrote:
> Kelly,
>
> The intent of the Squid mechanism, is, I think, a bit obscure--hopefully
> the authors will step forward and show how you set up the two distinct
> external auth mechanisms it appears you need in order for Squid to a)
> authenticate to LDAP b) do the group check.
>
> However, our solution (which resembles that used in a commercial K12
> proxy solution which I shall not name), is as follows:
>
> 1. We use one external authenticator, the squid_ldap_auth program
> 2. All traffic is sent to a customized Squidguard redirect_program--our
> version combines a bunch of extant modifications, including LDAP
> group-based ACLs, and a modified logging feature used to drive reporting
> 3. Any sort of authorization rule, including one forbidding specific
> users/groups to visit FTP urls, would happen here. For example, your
> source group might be "kids," and the destination group anything
> matching an "^ftp://" regex.
>
> We have some tweaks to Webmin, a real-time log parser, and reporting
> tool we're releasing, that organize all this.
>
> Matt
>
>
>
> Kelly_Connor@gilbert.k12.az.us wrote:
>
> >
> >Hi all,
> >
> >I hope this has not been addressed anywhere in the mailing lists. I did a
> >search and couldn't find anything, and I've already RTFM'd.
> >
> >I don't understand how to set up the squid_ldap_group external acl type.
> >
> >We are running Novell eDirectory and using various LDAP groups to
> >(hopefully) control internet access for our various high school campuses.
> >We want to have different control lists based upon the user. Students are
> >denied ftp downloads and are sent to a redirector/content filter, while we
> >IT people don't go to the redirector and get ftp downloads.
> >
> >The man page for external_acl_type doesn't seem clear to me.
> >
> >This is what I've got so far:
> >
> >external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b <basedn>
> >-D <squidaccount> -w <passwd> -f
> >"(&(cn=%v)(groupMembership=cn=<group1dn>))" -h ldap.host
> >external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b <basedn>
> >-D <squidaccount> -w <passwd> -f
> >"(&(cn=%v)(groupMembership=cn=<group2dn>))" -h ldap.host
> >
> >acl Restricted port 20 21 1025-65535
> >
> >acl external ldap_group deny Restricted
> >acl external ldap_group allow Restricted
> >
> >I'm certain I am doing something wrong with my "acl external" lines. How
> >do I differentiate the two different groups? How exactly is the
> >external_acl_type line used? Is ldap_group a reserved phrase that has to
> >follow external_acl_type? How do I return to squid the group membership
> >token for the user?
> >
> >Thanks for any illumination...
> >
> >
> >Kelly Connor
> >Network Technician
> >Gilbert Unified School District
> >kelly_connor@gilbert.k12.az.us
> >
> >
> >
>
>

-- 
*********************************************************
Carissa Srugis
csrugis@gmail.com
Received on Wed Dec 01 2004 - 10:49:26 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:01 MST