[squid-users] Groups in LDAP from Omar M on 2007-01-18 (squid-users)

From: Omar M <omar.alva@dont-contact.us>
Date: Thu, 18 Jan 2007 15:03:23 -0600

Hello everyone:

I'm newbie using squid and I have my first question in this forum...

I'm trying to authenticate my users and groups against OpenLDAP...

Explaining:

I have three groups and their users are:

- administrators [adm1,adm2] (they must have not restrictions).
- supervisors [sup1,sup2] (they can't see some web pages).
- users [user1,user2] (they can only browse the web, not msn,yahoo or
similar applications).

My slapd.conf has:

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
loglevel 256
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
backend bdb
database bdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw gohan
directory /var/example.com
index objectClass eq
access to *
by * read

And my squid.conf has:

...
auth_param basic program /usr/local/squid/libexec/ldap_auth
external_acl_type ldap_group %
LOGIN /usr/local/squid/libexec/squid_ldap_group -R -D
"cn=admin,dc=example,dc=com" -w gohan -b "dc=example,dc=com" -f "uid=%v"
-s sub -v 3 -g "ou=%g" 127.0.0.1
...
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl CONNECT method CONNECT
acl users proxy_auth REQUIRED
acl outside external ldap_group users <--- this is one of my groups that
I wanna test
...
http_access allow manager localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow outside
http_access deny all
...

However when I try to connect using a browser I see the dialog window
asking me for username/password with user1/user1 everything is fine, but
if a give different user for example sup1/sup1 (this users is from
supervisors, which isn't allow) it says is correct :S

I have ldap_auth and squid_ldap_group scripts:

ldap_auth:

/usr/local/squid/libexec/squid_ldap_auth -R -D
cn=admin,dc=example,dc=com -w gohan -b dc=example,dc=com -s sub -v 3 -f
"(uid=%s)" -h 127.0.0.1

and squid_ldap_group which is a binary compiled with squid.

I'm doing something wrong, but I don't know what is, Am I missing some
configuration? :S

Could somebody help me please...

-- 
Omar M
omargohan@gmail.com

Received on Thu Jan 18 2007 - 14:03:59 MST

This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST