[squid-users] Re: LDAP Authentification

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 29 Jun 2001 13:39:04 +0200

If you need to base ACL processing in Squid on different groups to give
different users different level of access, and you must have the group
definitions in LDAP then you have two options: Working around the
limitations of an unpatched Squid, or patching Squid with the
group_ldap_auth patch to have full integration.

Using an unpatched Squid your only option is to have the group
definitions on the Squid proxy, and include them into differnt
proxy_auth ACLs. The group definitions can most likely be downloaded
from LDAP periodically with a cron job that searches LDAP for the users
in each group.

  acl group1 proxy_auth "/path/to/group1.txt"
  acl group2 proxy_auth "/path/to/group2.txt".

If you use the group_ldap_auth patch, please also read the
documentation. It uses different squid.conf directives and different ACL
names. The authenticate_program and proxy_auth directives is NOT used by
the patch.

The group_ldap_auth patch is only available for Suqid-2.3, but I think
it should be possible to apply it to mostly any Squid-2.x release with
only some minor changes. The patch is quite selfcontained and does not
depend on much else in Squid.

--
Henrik Nordstrom
Squid Hacker
Markus.Forrer@coop.ch wrote:
> 
> Yes
> 
> I've seen this right now.
> 
> So tell me what I should do.
> What is avaiable at the moment for my requirements...
> 
> I should have Group Authentification and I should have the group names, to
> build working acl's...
> 
> Squid 2.3Stable3 oder Squid 2.4Stable1 ????
> 
> There are a lot of ldap_auth_modules around....
> 
> Regards Markus Forrer
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Henrik Nordstrom [mailto:hno@hem.passagen.se]
> > Gesendet am: Freitag, 29. Juni 2001 12:58
> > An: Markus.Forrer@coop.ch
> > Cc: squid-users@squid-cache.org
> > Betreff: Re: AW: [squid-users] LDAP Authentification
> >
> > The attached code is functionally equivalent to the normal LDAP
> > authenticator using a LDAP search filter to match the user
> > attribute. It
> > is NOT a group ldap authenticator.
> >
> > The group LDAP patch is meant to be user when you want to return the
> > group name to Squid to do further processing in Squid's ACL's based on
> > the group. It involces both a special authenticator, and
> > patches to the
> > Squid source code with new configuration directives and ACL types for
> > matching LDAP groups.
> >
> > --
> > Henrik Nordstrom
> > Squid Hacker
Received on Fri Jun 29 2001 - 05:38:59 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:53 MST