Hi,
well, the name shouldn't matter...
Now i spent my day with playing with ldapsearch:
ldapsearch -h dhc-server -p 389 -D keppner@dhc-gmbh.com -w sEcReT -x -b
dc=dhc-gmbh,dc=com "(sAMAccountName=keppner)"
returns me all information about my own account; this is, what in
(squid_)ldap_auth is used: "auth_param basic program
/usr/lib/squid/ldap_auth -b dc=dhc-gmbh,dc=com -R -D keppner@dhc-gmbh.com -w
SeCrEt -f sAMAccountName=%s 192.168.42.10" works fine.
This is my squid_ldap_group - command in squid.conf
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b
dc=dhc-gmbh,dc=com -D keppner@dhc-gmbh.com -w SeCrEt -f
"(&(cn=Mitarbeiter)(member=uid=%u)) -F (sAMAccountName=%s) -h 192.168.42.10
-p 389
I think, the -F argument is correct, because it works in the auth-command.
Am i right: squid_ldap_group first searches with the -F argument, and checks
this account data against the filter in the -f argument? I don't understand
the meaning of the (member=uid=%u) condition. When i search with ldapsearch
and the Filter CN=Mitarbeiter, then i get a list with all members of the
group Mitarbeiter, where i can see, that i'm a member.
But i still get no access to the cache. In my squid.conf i've written the
external_acl_type and:
acl Mitarbeiter external ldap_group Mitarbeiter
and
http_access allow password dhc Mitarbeiter
the http_access line is inserted below the # INSERT YOUR OWN RULE(S) HERE TO
ALLOW ACCESS FROM YOUR CLIENTS line, dhc stands for our IP-Subnet and
password for the acl password proxy_auth REQUIRED.
Is there an error in the -f definition?
Greetings
Christoph
-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Saturday, December 20, 2003 1:01 AM
To: Keppner, Christoph
Cc: 'Henrik Nordstrom '
Subject: Re: AW: AW: AW: [squid-users] squid_ldap_group authentication
against Act ive Directory
On Fri, 19 Dec 2003, Keppner, Christoph wrote:
> This is a part of the squid-packet from Debian, except ldapauth, this is a
> bash-script written by myself...
>
> I never had a command squid_ldap_auth, only ldap_auth... What is going
wrong
> here?
Maybe a oddity of the Debian packaging, I do not know.
This is how a fully populated libexec directory looks in current source
releases:
-rwxr-xr-x 1 henrik users 138184 Dec 18 12:10 cachemgr.cgi
-rwxr-xr-x 1 henrik users 77200 Dec 18 12:11 digest_pw_auth
-rwxr-xr-x 1 henrik users 307366 Dec 18 11:58 diskd
-rwxr-xr-x 1 henrik users 71353 Dec 18 12:11 fakeauth_auth
-rwxr-xr-x 1 henrik users 60628 Dec 18 12:10 getpwname_auth
-rwxr-xr-x 1 henrik users 43333 Dec 18 12:11 ip_user_check
-rwxr-xr-x 1 henrik users 173621 Dec 18 12:11 msnt_auth
-rwxr-xr-x 1 henrik users 79498 Dec 18 12:11 ncsa_auth
-rwxr-xr-x 1 henrik users 5925 Dec 18 12:11 no_check.pl
-rwxr-xr-x 1 henrik users 178137 Dec 18 12:11 ntlm_auth
-rwxr-xr-x 1 henrik users 73580 Dec 18 12:11 pam_auth
-rwxr-xr-x 1 henrik users 75480 Dec 18 12:11 sasl_auth
-rwxr-xr-x 1 henrik users 63865 Dec 18 12:11 smb_auth
-rwxr-xr-x 1 henrik users 3962 Dec 18 12:11 smb_auth.pl
-rwxr-xr-x 1 henrik users 2280 Dec 18 12:11 smb_auth.sh
-rwxr-xr-x 1 henrik users 79150 Dec 18 12:10 squid_ldap_auth
-rwxr-xr-x 1 henrik users 52109 Dec 18 12:11 squid_ldap_group
-rwxr-xr-x 1 henrik users 36074 Dec 18 12:11 squid_unix_group
-rwxr-xr-x 1 henrik users 296072 Dec 18 12:10 unlinkd
-rwxr-xr-x 1 henrik users 85661 Dec 18 12:11 wb_auth
-rwxr-xr-x 1 henrik users 69776 Dec 18 12:11 wb_group
-rwxr-xr-x 1 henrik users 1331 Dec 18 12:11 wbinfo_group.pl
-rwxr-xr-x 1 henrik users 100015 Dec 18 12:11 wb_ntlmauth
-rwxr-xr-x 1 henrik users 74889 Dec 18 12:11 yp_auth
With these man pages
-rw-r--r-- 1 henrik users 2699 Dec 18 12:11 pam_auth.8
-rw-r--r-- 1 henrik users 3196 Dec 18 12:10 squid.8
-rw-r--r-- 1 henrik users 6405 Dec 18 12:10 squid_ldap_auth.8
-rw-r--r-- 1 henrik users 5261 Dec 18 12:11 squid_ldap_group.8
-rw-r--r-- 1 henrik users 1586 Dec 18 12:11 squid_unix_group.8
Regards
Henrik
Received on Sat Dec 20 2003 - 08:50:00 MST
This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:18 MST