Re: [squid-users] squid_ldap_group with novell ldap
On Sat, 12 Feb 2005, Adrian Malaguti wrote: They are using squid_ldap_auth and squid_ldap_group modules. It seems to be a problem with group membership attributes, the valiu for member attribute returned by both ldap servers are different. When querying to openldap it returns: # g_http_internet, poderjudicial, gub, uy dn: cn=g_http_internet, dc=poderjudicial,dc=gub,dc=uy objectClass: groupOfNames objectClass: top member: cn=csomma This is not a correct member of a groupOfNames.. the member should be the full DN of the member user, not just the CN. But when querying to eDir LDAP it returns: # g_http_internet, poderjudicial dn: cn=g_http_internet,o=poderjudicial objectClass: groupOfNames objectClass: Top member: cn=csomma,ou=divTec,ou=dgsa,ou=scj,o=poderjudicial Looks good. This is the current configuration with openldap (which works fine), but doesn't work with eDir LDAP. #external_acl_type ldap_group_helper %LOGIN /usr/local/squid/libexec/squid_ldap_group -d -b dc=poderjudicial,dc=gub,dc=uy -B dc=poderjudicial,dc=gub,dc=uy - h localhost -f ((objectclass=groupOfNames)(cn=%a)(member=cn=%u)) You need to use the -F flag to tell squid_ldap_group how to find the user from the login name. Same as teh -f flag to squid_ldap_auth. Note that the -f flag needs to be changed somewhat by removing any DN components from the member attribute match (memeber=%u instead of member=cn=%u). For clarity I would recomment using %g instead of %a. Especially considering you are already using %u for the user.. (initial version of squid_ldap_group used %a/%v, current versions uses %g/%u but also supports the older codes..) Regards Henrik
[squid-users] squid_ldap_group with novell ldap
Hi, I'm seeking some Squid or ldap guru help ! we are working in a customer site trying to configure Squid authentication to eDirectory LDAP using groups membership. Current implementation is working fine with openldap, but when we try eDirectory LDAP it fails. They are using squid_ldap_auth and squid_ldap_group modules. It seems to be a problem with group membership attributes, the valiu for member attribute returned by both ldap servers are different. When querying to openldap it returns: # g_http_internet, poderjudicial, gub, uy dn: cn=g_http_internet, dc=poderjudicial,dc=gub,dc=uy objectClass: groupOfNames objectClass: top member: cn=csomma But when querying to eDir LDAP it returns: # g_http_internet, poderjudicial dn: cn=g_http_internet,o=poderjudicial objectClass: groupOfNames objectClass: Top member: cn=csomma,ou=divTec,ou=dgsa,ou=scj,o=poderjudicial This is the current configuration with openldap (which works fine), but doesn't work with eDir LDAP. #external_acl_type ldap_group_helper %LOGIN /usr/local/squid/libexec/squid_ldap_group -d -b dc=poderjudicial,dc=gub,dc=uy -B dc=poderjudicial,dc=gub,dc=uy - h localhost -f ((objectclass=groupOfNames)(cn=%a)(member=cn=%u)) Forcing member= full distinguised name, it works, but here the problem is with sublevels contexts under o=poderjudicial. external_acl_type ldap_group_helper %LOGIN /usr/local/squid/libexec/squid_ldap_g roup -d -b o=poderjudicial -B o=poderjudicial -s sub -h 10.0.3.61 -f ((obj ectclass=groupOfNames)(cn=%a)(member=cn=%u,o=poderjudicial)) Is there a way to put something in the filter like member=fdn, or member=%u*, we tried with -F also but it doesn't work. Or setting the filter to match the full distinguished name ? Thanks !! Adrian.