Still not working... is there maybe a problem with the order of the acls? I don't think so because if i remove Mitarbeiter from the line http_access, access is granted to all users with valid password...
when i search with ldapsearch and filter (objectClass=groupOfNames), nothing is returned. Is there a possibility to test squid_ldap_group from the commandline? Or can i somehow print the values of %g, %u or %s? Regards Christoph P.S. Here is a snip of my squid.conf: . . . external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b dc=dhc-gmbh,dc=com -D [EMAIL PROTECTED] -w SeCrEt -f "(&(cn=%g)(member=%u)(objectClass=groupOfNames))" -F "(sAMAccountName=%s)" -h 192.168.38.10 -p 389 . . . acl dhc src 192.168.38.0/255.255.255.0 # only Members of group 'Mitarbeiter' may access internet acl Mitarbeiter external ldap_group Mitarbeiter acl password proxy_auth REQUIRED . . . # Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Only allow purge requests from localhost http_access allow purge localhost # Deny requests to unknown ports http_access deny purge # Deny CONNECT to other than SSL ports http_access deny !Safe_ports # # We strongly recommend to uncomment the following to protect innocent # web applications running on the proxy server who think that the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS http_access allow password dhc Mitarbeiter # Exampe rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks http_access deny CONNECT !SSL_ports # And finally deny all other access to this proxy http_access allow localhost http_access deny all -----Original Message----- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Saturday, December 20, 2003 8:38 PM To: Keppner, Christoph Cc: '[EMAIL PROTECTED]' Subject: RE: AW: AW: AW: [squid-users] squid_ldap_group authentication aga inst Act ive Directory On Sat, 20 Dec 2003, Keppner, Christoph wrote: > This is my squid_ldap_group - command in squid.conf > > external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b > dc=dhc-gmbh,dc=com -D [EMAIL PROTECTED] -w SeCrEt -f > "(&(cn=Mitarbeiter)(member=uid=%u)) -F (sAMAccountName=%s) -h 192.168.42.10 > -p 389 The -f argument should be -f "(&(cn=%g)(member=%u)(objectClass=groupOfNames))" The username has already been expanded into a full DN by the -F filter, and you want to be able to reuse the same external_acl_type for different group matches via the acl directive.. Regards Henrik
