Hello Kelly,
From the man page for squid_ldap_group:
-------------------------------------------------------------------------------------
-f filter
LDAP search filter used to search the LDAP directory
for any
matching group memberships. In the filter %u will be
replaced
by the user login name (or DN if the -F or -u options are
used)
and %g by the requested group name.
-F filter
LDAP search filter used to search the LDAP directory
for any
matching users. In the filter %s will be replaced by
the user
login name. If % is to be included literally in the
filter then
use %%.
-------------------------------------------------------------------------------------
The lower case dash f, "-f", is a filter used to match group records
from your LDAP database.
The upper cas dash F, "-F", is a filter used to match user records from
your LDAP database.
As for the definition I defined and used here at KCL, I allow two
different styles of user name recognition when replying to a proxy
challenge. One is by the user's identifier (UID) the other is by the
user's E-Mail address.
-------------------------------------------------------------------------------------
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h ldap.komatsu.ca -p 389 -P -b o=komatsu -F "(|(uid=%s)(mail=%s))" -f "(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))"
-------------------------------------------------------------------------------------
If your LDAP schema uses a different tag for the user identifier than
"uid", you may want to consider using the "-F" option.
Hope this helps. Sorry for the delayed reply. Last week became quite
busy...
Tim
-----------------------------------------------------------
Timothy E. Neto
Computer Systems Engineer Komatsu Canada Limited
Ph#: 905-625-6292 x265 1725B Sismet Road
Fax: 905-625-6348 Mississauga, Canada
E-Mail: tneto@komatsu.ca L4W 1P9
-----------------------------------------------------------
Kelly_Connor@gilbert.k12.az.us wrote:
>
>
>Hi Tim -
>
>Looking over what you sent me, I have made a few changes.
>
>First, I have taken port 21 out of Safe_ports, since I don't want free
>access to FTP downloads.
>
>What is going on in your squid_ldap_auth line? what is the difference
>between "-F" and "-f"? the man page does not even mention -F.
>
>I have modified my set thus far:
>
>
>------------
>external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b
>ou=techsvc,o=gps -D cn=squid,ou=global,o=gps -w <pass> -f
>"(&(cn=%s)(groupMembership=cn=RestrictedInternetAccess,ou=techsvc,o=gps))"
>-h FS-GPS1.GPS
>
>acl Restricted port 20 21 1025-65535
>
>acl RestrictedUsers external ldap_group RestrictedInternetAccess
>acl OpenUsers external ldap_group InternetAccess
>
>http_access allow Restricted OpenUsers
>http_access deny !Safe_ports
>------------
>
>Am I doing something wrong with the external_acl_type line?
>
>
>Kelly Connor
>Network Technician
>Gilbert Unified School District
>kelly_connor@gilbert.k12.az.us
>
>
Received on Mon Dec 06 2004 - 09:26:25 MST
This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:01 MST