> Hi, > > I have a problem with squid_ldap_auth. > I use it to authorize against M$-AD, no problems so far. > I all works with the following: > auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b > "OU=Gebruikers,DC=domain,DC=org" -s sub -D > "cn=administrator,ou=beheer,dc=domain,dc=org" -w "password" -h server -p > 389 -v 3 -f sAMAccountName=%s > > Now I also want to check if the user is a member of a AD group, so I did > the following: > auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b > "OU=Gebruikers,DC=domain,DC=org" -s sub -D > "cn=administrator,ou=beheer,dc=domain,dc=org" -w "password" -h server -f > "(&(sAMAccountName=%s)(memberOf=CN=Internet-Users,OU=Gebruikers > Groepen,OU=Gebruikers,DC=domain,DC=org))" > > This works great from the command line: a user who is a member get's OK > and if you are not a member it shows ERR. This is what I want. > I just can't get it to work from within squid. In the cache.log the > following line appears when authenticating: > squid_ldap_auth: WARNING, LDAP search error 'Bad search filter' > > I'm using squid/2.5.STABLE4 on solaris 9. > > Any help?? > > Regards > Martijn > I solved the problem by creating a wrapper around the squid_ldap_auth as the space in the OU "Gebruikers Groepen" will not parse (IMHO). The entry in squid.conf is now as followes: auth_param basic program /usr/local/squid/libexec/wrapper_ldap_auth.sh
And the wrapper itself: #!/usr/bin/ksh /usr/local/squid/libexec/squid_ldap_auth -b "OU=Gebruikers,DC=domain,DC=org" -s sub -D "cn=administrator,ou=beheer,dc=domain,dc=org" -w "password" -h server -f "(&(sAMAccountName=%s)(memberOf=CN=Internet-Users,OU=Gebruikers Groepen,OU=Gebruikers,DC=domain,DC=org))" I know you should check for a member in a group instead of a group in a member, but in AD the CN is mapped as a member en we use the sAMAccountName... Greetz Martijn
