Hi Henrik On Tue 10Aug04 you wrote:
"If you do not need to specify different authorization for different groups and your directory allows direct filtering on group membership then there is no need for squid_ldap_group, only squid_ldap_auth" Now, I wont try to authenticate and authorizate a user member of internetOK. The base DN is CN=internetOK,OU=utenti,DC=advnet,DC=it and the users are store into OU=utenti,DC=advnet,DC=it When I have in my squid.conf: auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b "ou=utenti,dc=advnet,dc=it" -u "CN" -d -v 3 -h "192.168.150.1:389" -D "CN=superadmin,CN=users,DC=advnet,DC=it" -w "pass" auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl autenticati proxy_auth REQUIRED http_access allow autenticati The users authenticated can access to internet. But, if I try to control the membership, none have access to internet: auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b "ou=utenti,dc=advnet,dc=it" -u "CN" -f "(&(CN=internetOK)(objectClass=group)(member=cn=%u))" -d -v 3 -h "192.168.150.1:389" -D "CN=superadmin,CN=users,DC=advnet,DC=it" -w "pass" I think the string is wrong, and I try with this -f search options: -f (&(CN=%u)(objectClass=person)(memberOf=CN=internetOK,OU=utenti,DC=advnet,DC=it)) -f (&(CN=%g)(objectClass=internetOk)(member=CN=%u)) You said me to write this: -f (&(CN=%g)(objectClass=groupOfPeople)(member=%u)) and I've a question: 1)Where do I write the name of the group "internetOK"? -f (&(CN=%g)(objectClass=internetOK)(member=%u)) or -f (&(CN=internetOK)(objectClass=group)(member=%u)) I try to test a external helper squid_ldap_group from dos command line, but it doesn't work... Thank you for your help, Best Regards Samantha 2) >On Tue, 2 Nov 2004 [EMAIL PROTECTED] wrote: > >> external_acl_type ldap_group %LOGIN /Squid/libexec/squid_ldap_group.exe > -u >CN -b "OU=utenti,DC=bdcnet,DC=it" -d -f >> >bjectClass=person)((memberOf=cn=internetOKnavigare,OU=utenti,DC=bdcnet,DC=it)))" >"(&(CN=%u)(o> -h 192.168.1.1:389 > >This looks a little odd.. normally one uses a search filter looking for the >group object where the user is member, not the person object having >the group as membership attribute. > >In addition you should be using a %g at a suitable position in the filter for >the group name.. > >If continuing doing the lookup on the person object the filter should be >something like the following: > >"(&(CN=%u)(objectClass=person)(memberOf=cn=%g,OU=utenti,DC=bdcnet,DC=it))" > >Or you could do it the LDAP way and look for a group object having the user as >member. You then specify the exact same filter as used in >squid_ldap_auth to the -F option of squid_ldap_group, and a suitable group >filter to -f > > "(&(CN=%g)(objectClass=groupOfPeople)(member=%u))" > >(%u in the group search filter -f translates to the users DN, not the login >name when using the -F option) > >Regards >Henrik > > ------------------------------------------------------------------------- NUOVA WEBMAIL DI INTERFREE! Da oggi Interfree offre a tutti i suoi utenti un nuovissimo servizio di WebMail tra i pił evoluti e una qualitą professionale che si rinnova di continuo: - Controllo antivirus - Filtro antispamming - Configurazione di account esterni - Accesso gratuito a InterDrive dove salvare e organizzare i tuoi file da qualsiasi computer e in qualsiasi momento ... Iscriviti gratuitamente all'indirizzo http://www.interfree.it e prova il nuovo servizio! Lo Staff di Interfree -------------------------------------------------------------------------