Hi all, I am using Squid and LDAP to control access to Internet via Proxy. I also am using squid_ldap_auth. I would like to separate my users into six groups, named UL1 to UL6. I would like to authenticate then against LDAP and, after that, grant or revoke permission to access http on the wild. I am using a number of files and other hacking in order to have those goals accomplished, because the Conectiva Linux 9 do not provide a Squid rpm with squid_ldap_group compiled into. Now I have the time, the machine and a compilation of squid 2.5.STABLE3 with squid_ldap_group in my test lab machine. And would like you to help me using squid_ldap_group. My squid.conf do have: --FOR LDAP_AUTH-- auth_param basic program /usr/lib/squid/squid_ldap_auth -h ldap.intranet.dasa -b "ou=Users,o=DASA" -f "(&(internetAccess=enabled)(uid=%s))" auth_param basic children 15 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours --FOR LDAP_GROUP-- external_acl_type LdapGroup %LOGIN /usr/lib/squid/squid_ldap_group -b ou=Groups,o=DASA -f (&(cn=%a)(memberUid=%v)) --FOR ACLs on AUTHENTICATION-- acl AutorizedUser proxy_auth REQUIRED --FOR ACLs on GROUP-- acl Level1 external LdapGroup UL1 acl Level1 external LdapGroup UL2 acl Level1 external LdapGroup UL3 acl Level1 external LdapGroup UL4 acl Level1 external LdapGroup UL5 acl Level1 external LdapGroup UL6 I already have groups UL1..8 created on ou=Groups,o=DASA, and my test users are placed in the memberUid correctly. Also, I proceeded with tests in command line using squid_ldap_group until I became confident using it. From my point of view, ldapsearch is running as expected and squid_ldap_group the same. So you may ask me "What is the problem?" And I will answer you that "I am not sure how to write the line for the external acl on squid.conf", because I did not find enough documentation. Question: What are the parameters squid passes to squid_ldap_group? I realized squid_ldap_group can use at least two parameters when running from command lin: user and group, and it parses user as %v and group as %a. If I use the acl like acl Level1 external LdapGroup UL1 will squid pass UL1 as the second parameter (group) to squid_ldap_group? Question: If I have six groups (UL1 thru UL6) is it correct to use the acl below to identify which group one pertains to? acl Level1 external LdapGroup UL1 acl Level1 external LdapGroup UL2 acl Level1 external LdapGroup UL3 acl Level1 external LdapGroup UL4 acl Level1 external LdapGroup UL5 acl Level1 external LdapGroup UL6 Question: How can I control (is it possible?) the number of squid_ldap_group helper processes started automatically by squid? Bye, Fernando Maciel Souto Maior [EMAIL PROTECTED] http://www.araujo.com.br +55+31 3270-5886
AVISO-------------------------------------------- Esta mensagem pode conter informacao confidencial ou privilegiada. Se voce nao for o destinatario ou a pessoa autorizada a receber esta mensagem, nao pode usar, copiar ou divulgar as informacoes nela contidas ou tomar qualquer acao baseada nessas informacoes. Se voce recebeu esta mensagem por engano, favor avisar o remetente imediatamente, respondendo o e-mail e em seguida apagando-o. Obrigado pela cooperacao. DISCLAIMER--------------------------------------- This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on any information herein. If you have received this message in error, please advise the sender immediately by replying to this e-mail and delete this message. Thank you for your cooperation. ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/