Re: AW: [squid-users] authentication problem with squid_ldap_group

Joachim JS. Schuster wrote:
> -----Ursprüngliche Nachricht-----
> Von: Oliver Hookins [mailto:ohookins@gmail.com]
> Gesendet: Mittwoch, 12. Januar 2005 01:07
> An: squid-users@squid-cache.org
> Cc: Joachim JS. Schuster
> Betreff: Re: [squid-users] authentication problem with squid_ldap_group
>
>
> Joachim JS. Schuster wrote:
>
>>Joachim JS. Schuster wrote:
>>
>>
>>>Dear squid users,
>>>I need help about my authentifaction problem with squid_ldap_group.
>>>
>>>first i create a entry for squid_ldap_auth. i can login and i have web
>>>access and it works fine.
>>>
>>>auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b
>>>"dc=mb,dc=local" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998
>>>-f "(&(sAMAccountName=%s)(objectClass=Person))" -h 192.168.3.1 acl
>>>USERS proxy_auth REQUIRED
>>>
>>>http_access allow USERS
>>>
>>>in the next step i create this lines for my ldap group access.
>>>
>>>external_acl_type ldapgroup concurrency=15 %LOGIN
>>>/usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f
>>>"(&(cn=%g)(member=%u))" -F
>>>"(&(sAMAccountName=%s)(objectClass=Person))" -D
>>>"cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1
>>>
>>>acl ldapproxygroup external ldapgroup webaccess
>>>
>>>http_access allow ldapproxygroup
>>>
>>>i can login but i have no webaccess. i see the 407 error access denied
>>>in squid conf.
>>>
>>>when i execute
>>>
>>>heins:~ # /usr/sbin/squid_ldap_group -P -R -b
>>>"ou=intern,dc=mb,dc=local" -f "(&(cn=%g)(member=%u))" -F
>>>"(&(sAMAccountName=%s)(objectClass=Person))" -D
>>>"cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1 cwm
>>>webaccess OK
>>>
>>>i get ok but the user cwm can´t use the proxy.
>>
>>
>>Can you quote some of the logs that shows the problem? Is the username
>>in the logs exactly as you are typing it on the command line? What I am
>>getting at is that it might have the domain name attached to the
>>username in which case you need the -S option for squid_ldap_group.
>>
>>Regards,
>>Oliver
>>
>>Sorry im am new in this list. On wich way i must contact you ? By your
>>mail adresse or over a squid-users@squid-cache.org ?
>>
>>The access.log entries:
>>1105494666.537 0 192.168.5.2 TCP_DENIED/407 2470 GET http://www.google.de/ - NONE/- text/html
>>1105494675.258 24 192.168.5.2 TCP_DENIED/403 2217 GET http://www.google.de/ cwm NONE/- text/html
>>
>>The username cwm ist correct. I can add more users to the webaccess. I
>>checked all the new users with the comandline below and the test ist
>>ok. /usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f
>>"(&(cn=%g)(member=%u))" -F
>>"(&(sAMAccountName=%s)(objectClass=Person))" -D
>>"cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1
>>
>>Regards
>>Joachim
>>
>
>
> Sorry, my mail program doesn't automatically reply to the list - yes you
> should reply to the list unless you want to converse directly with one
> of the members.
>
> The only thing I could suggest is trying the -S parameter anyway. I
> don't know any really good ways to find out what is happening, unless
> you can write a test-program to replace squid_ldap_group that logs what
> options and input were passed to it. It either works or it doesn't!
>
> Regards,
> Oliver
>
> Do you mean the -S (Strip NT domain from usernames)parameter ?
>
> Regards
> Joachim

Yes.

Oliver
Received on Tue Jan 11 2005 - 17:34:40 MST