Re: [squid-users] Help squid_ldap_group W32
Hi Henrik On Tue 10Aug04 you wrote: If you do not need to specify different authorization for different groups and your directory allows direct filtering on group membership then there is no need for squid_ldap_group, only squid_ldap_auth Now, I wont try to authenticate and authorizate a user member of internetOK. The base DN is CN=internetOK,OU=utenti,DC=advnet,DC=it and the users are store into OU=utenti,DC=advnet,DC=it When I have in my squid.conf: auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b ou=utenti,dc=advnet,dc=it -u CN -d -v 3 -h 192.168.150.1:389 -D CN=superadmin,CN=users,DC=advnet,DC=it -w pass auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl autenticati proxy_auth REQUIRED http_access allow autenticati The users authenticated can access to internet. But, if I try to control the membership, none have access to internet: auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b ou=utenti,dc=advnet,dc=it -u CN -f ((CN=internetOK)(objectClass=group)(member=cn=%u)) -d -v 3 -h 192.168.150.1:389 -D CN=superadmin,CN=users,DC=advnet,DC=it -w pass I think the string is wrong, and I try with this -f search options: -f ((CN=%u)(objectClass=person)(memberOf=CN=internetOK,OU=utenti,DC=advnet,DC=it)) -f ((CN=%g)(objectClass=internetOk)(member=CN=%u)) You said me to write this: -f ((CN=%g)(objectClass=groupOfPeople)(member=%u)) and I've a question: 1)Where do I write the name of the group internetOK? -f ((CN=%g)(objectClass=internetOK)(member=%u)) or -f ((CN=internetOK)(objectClass=group)(member=%u)) I try to test a external helper squid_ldap_group from dos command line, but it doesn't work... Thank you for your help, Best Regards Samantha 2) On Tue, 2 Nov 2004 [EMAIL PROTECTED] wrote: external_acl_type ldap_group %LOGIN /Squid/libexec/squid_ldap_group.exe -u CN -b OU=utenti,DC=bdcnet,DC=it -d -f bjectClass=person)((memberOf=cn=internetOKnavigare,OU=utenti,DC=bdcnet,DC=it))) ((CN=%u)(o -h 192.168.1.1:389 This looks a little odd.. normally one uses a search filter looking for the group object where the user is member, not the person object having the group as membership attribute. In addition you should be using a %g at a suitable position in the filter for the group name.. If continuing doing the lookup on the person object the filter should be something like the following: ((CN=%u)(objectClass=person)(memberOf=cn=%g,OU=utenti,DC=bdcnet,DC=it)) Or you could do it the LDAP way and look for a group object having the user as member. You then specify the exact same filter as used in squid_ldap_auth to the -F option of squid_ldap_group, and a suitable group filter to -f ((CN=%g)(objectClass=groupOfPeople)(member=%u)) (%u in the group search filter -f translates to the users DN, not the login name when using the -F option) Regards Henrik - NUOVA WEBMAIL DI INTERFREE! Da oggi Interfree offre a tutti i suoi utenti un nuovissimo servizio di WebMail tra i più evoluti e una qualità professionale che si rinnova di continuo: - Controllo antivirus - Filtro antispamming - Configurazione di account esterni - Accesso gratuito a InterDrive dove salvare e organizzare i tuoi file da qualsiasi computer e in qualsiasi momento ... Iscriviti gratuitamente all'indirizzo http://www.interfree.it e prova il nuovo servizio! Lo Staff di Interfree -
Re: [squid-users] Help squid_ldap_group W32
On Wed, 3 Nov 2004 [EMAIL PROTECTED] wrote: auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b ou=utenti,dc=advnet,dc=it -u CN -f ((CN=internetOK)(objectClass=group)(member=cn=%u)) -d -v 3 -h 192.168.150.1:389 -D CN=superadmin,CN=users,DC=advnet,DC=it -w pass to squid_ldap_auth you MUST specify a filter looking for Person objects. I would recommend you to explore your LDAP directory a little using ldapsearch or a LDAP browser of your choice. Things really do get a little easier if you know what the filters are supposed to look for.. user search filters (-f to squid_ldap_auth, and consequently -F to squid_ldap_auth) looks for the person object. group search filters (-f to squid_ldap_group) usually looks for a matching group object. The job of squid_ldap_group is only to determine is this login name member of groups X I think the string is wrong, and I try with this -f search options: -f ((CN=%u)(objectClass=person)(memberOf=CN=internetOK,OU=utenti,DC=advnet,DC=it)) -f ((CN=%g)(objectClass=internetOk)(member=CN=%u)) The first looks fine for squid_ldap_auth The second is incorrect in both the object class and member parts. You said me to write this: -f ((CN=%g)(objectClass=groupOfPeople)(member=%u)) to squid_ldap_group yes, in combination with -F (capital F) having the exact same argument as you had to -f of squid_ldap_auth. But please verify the objectClass of the group objects in your directory. I try to test a external helper squid_ldap_group from dos command line, but it doesn't work... It does work from command line. This helper expects username groupname as input. Regards Henrik
Re: [squid-users] Help squid_ldap_group W32
HI, At 11.18 03/11/2004, Henrik Nordstrom wrote: On Wed, 3 Nov 2004 [EMAIL PROTECTED] wrote: auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b ou=utenti,dc=advnet,dc=it -u CN -f ((CN=internetOK)(objectClass=group)(member=cn=%u)) -d -v 3 -h 192.168.150.1:389 -D CN=superadmin,CN=users,DC=advnet,DC=it -w pass to squid_ldap_auth you MUST specify a filter looking for Person objects. I would recommend you to explore your LDAP directory a little using ldapsearch or a LDAP browser of your choice. Things really do get a little easier if you know what the filters are supposed to look for.. user search filters (-f to squid_ldap_auth, and consequently -F to squid_ldap_auth) looks for the person object. group search filters (-f to squid_ldap_group) usually looks for a matching group object. The job of squid_ldap_group is only to determine is this login name member of groups X I think the string is wrong, and I try with this -f search options: -f ((CN=%u)(objectClass=person)(memberOf=CN=internetOK,OU=utenti,DC=advnet,DC=it)) -f ((CN=%g)(objectClass=internetOk)(member=CN=%u)) The first looks fine for squid_ldap_auth The second is incorrect in both the object class and member parts. You said me to write this: -f ((CN=%g)(objectClass=groupOfPeople)(member=%u)) to squid_ldap_group yes, in combination with -F (capital F) having the exact same argument as you had to -f of squid_ldap_auth. But please verify the objectClass of the group objects in your directory. I try to test a external helper squid_ldap_group from dos command line, but it doesn't work... It does work from command line. This helper expects username groupname as input. Regards Henrik Some words about LDAP support on Windows: Squid_ldap_auth and Squid_ldap_group was developed and tested using OpenLDAP on *nix platforms. On Windows 2000 and later the support for LDAP is native and seems to be compatible with LDAP standards. But during the helper's port I have found that Microsoft LDAP implementation is slightly different between Windows 2000 and Windows XP/2003, for example TLS support is not available on W2K. I have made some basic testing on both helpers and they seems to work (better on Windows 2003), but I'm not totally sure that they works on Windows 2000 exactly in the same manner as using OpenLDAP on *nix. Henrik: it's possible to identify a standard test bed for LDAP helpers to test if they are working as expected ? This could be very useful with any other LDAP implementation like Netscape/Sun LDAP. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Gorizia, 69 10136 - Torino - ITALY Tel. : +39.011.3249426 Fax. : +39.011.3293665 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] Help squid_ldap_group W32
On Wed, 3 Nov 2004, Serassio Guido wrote: Henrik: it's possible to identify a standard test bed for LDAP helpers to test if they are working as expected ? This could be very useful with any other LDAP implementation like Netscape/Sun LDAP. There is very little that can fail between different LDAP APIs if the helpers compile. The LDAP C API is quite well defined. It is not trivial to make a test bed as this requires all the relevant LDAP servers in the mix to verify that the LDAP implementations interoperate properly in all combinations. Regards Henrik
[squid-users] Help squid_ldap_group W32
Hi all, I'm trying to working with squid into a windows 2K server, and I've users into a ldap three. My scope is to have two groups: internetOK has access to internet e internetNO hasn't. In my squid.conf I've: auth_param basic program /Squid/libexec/squid_ldap_auth.exe -u cn -b ou=utenti,dc=bdcnet,dc=it -D cn=superadmin,cn=users,dc=bdcnet,dc=it -w pass -d -v 3 -h 192.168.1.1:389 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off external_acl_type ldap_group %LOGIN /Squid/libexec/squid_ldap_group.exe -u CN -b OU=utenti,DC=bdcnet,DC=it -d -f ((CN=%u)(objectClass=person)((memberOf=cn=internetOKnavigare,OU=utenti,DC=bdcnet,DC=it))) -h 192.168.1.1:389 acl internetgroup external ldap_group internetOK acl NOinternet external ldap_group internetNO acl autenticati proxy_auth REQUIRED http_access deny autenticati NOinternet http_access allow autenticati internetgroup http_access deny all The basic authentication work for me good, but the authorization membership doesn't work. For the external_acl_type I try different ldap search strings, but none seems to work: for example: external_acl_type ldap_group squid_ldap_group.exe -u CN -b OU=utenti,DC=bdcnet,DC=it -d -D cn=superadmin,cn=users,dc=bdcnet,dc=it -w pass -f ((cn=%u)(|(memberOf=cn=internetOK,OU=utenti,DC=bdcnet,DC=it)(memberOf=cn=internetNO,OU=utenti,DC=bdcnet,DC=it))) -h 192.168.1.1:389 -D cn=superadmin,cn=users,dc=bdcnet,dc=it -w pass What are right parameters for -f option in squid_ldap_group? Thanks in advance, and Best Regards Samantha Raffaele - NUOVA WEBMAIL DI INTERFREE! Da oggi Interfree offre a tutti i suoi utenti un nuovissimo servizio di WebMail tra i più evoluti e una qualità professionale che si rinnova di continuo: - Controllo antivirus - Filtro antispamming - Configurazione di account esterni - Accesso gratuito a InterDrive dove salvare e organizzare i tuoi file da qualsiasi computer e in qualsiasi momento ... Iscriviti gratuitamente all'indirizzo http://www.interfree.it e prova il nuovo servizio! Lo Staff di Interfree -
Re: [squid-users] Help squid_ldap_group W32
On Tue, 2 Nov 2004 [EMAIL PROTECTED] wrote: external_acl_type ldap_group %LOGIN /Squid/libexec/squid_ldap_group.exe -u CN -b OU=utenti,DC=bdcnet,DC=it -d -f ((CN=%u)(objectClass=person)((memberOf=cn=internetOKnavigare,OU=utenti,DC=bdcnet,DC=it))) -h 192.168.1.1:389 This looks a little odd.. normally one uses a search filter looking for the group object where the user is member, not the person object having the group as membership attribute. In addition you should be using a %g at a suitable position in the filter for the group name.. If continuing doing the lookup on the person object the filter should be something like the following: ((CN=%u)(objectClass=person)(memberOf=cn=%g,OU=utenti,DC=bdcnet,DC=it)) Or you could do it the LDAP way and look for a group object having the user as member. You then specify the exact same filter as used in squid_ldap_auth to the -F option of squid_ldap_group, and a suitable group filter to -f ((CN=%g)(objectClass=groupOfPeople)(member=%u)) (%u in the group search filter -f translates to the users DN, not the login name when using the -F option) Regards Henrik