Re: [squid-users] squid_ldap_group : need help for setting up time and group restriction ACLs...

From: François Bastien <frabas_at_gmail.com>
Date: Thu, 16 Dec 2010 08:11:19 +0100

Yep. You're right...

But we'll use the workaround for a while since the usernames do not
contain special characters. (Only the Display Name for some users like
me do contain these special characters).

François

On Wed, Dec 15, 2010 at 10:36 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On Wed, 15 Dec 2010 14:06:59 +0100, François Bastien wrote:
>> So, in the end i'll be using Amos settings so i can manage only one
> group :
>>
>> http_access allow ldapgroup-unrestricted
>> http_access deny work_unrelated !acl_lunchbreak_time
>> http_access allow authenticated
>> http_access deny all
>>
>> I'm currently at the next step : debugging.... And i found something
>> quite interesting :
>>
>> aclMatchExternal: ldapgroup("domain%5Cuser unrestricted") = lookup
> needed
>> aclMatchAclList: no match, returning 0
>> externalAclLookup: lookup in 'ldapgroup' for 'domain%5Cuser
> unrestricted'
>> externalAclHandleReply: reply="ERR"
>>
>> So it seems that the username given to the squid_ldap_group helper is
>> wrong because of the "%5C".
>> Maybe i should strip the domain\ from the username ?
>
> Aha. The line fields are URL-encoded according to RFC 1738 specs. The
> helper is supposed to decode. You can drop the domain for a workaround, but
> there may be users with special letters or punctuation in their names which
> hit this as well (ie the "c" in your first name).
>
> Amos
>
>
Received on Thu Dec 16 2010 - 07:11:27 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 16 2010 - 12:00:03 MST