On Wed, 3 Nov 2004 [EMAIL PROTECTED] wrote:
auth_param basic program /Squid/libexec/squid_ldap_auth.exe -b "ou=utenti,dc=advnet,dc=it" -u "CN" -f "(&(CN=internetOK)(objectClass=group)(member=cn=%u))" -d -v 3 -h "192.168.150.1:389" -D "CN=superadmin,CN=users,DC=advnet,DC=it" -w "pass"
to squid_ldap_auth you MUST specify a filter looking for Person objects.
I would recommend you to explore your LDAP directory a little using ldapsearch or a LDAP browser of your choice. Things really do get a little easier if you know what the filters are supposed to look for..
user search filters (-f to squid_ldap_auth, and consequently -F to squid_ldap_auth) looks for the person object.
group search filters (-f to squid_ldap_group) usually looks for a matching group object. The job of squid_ldap_group is only to determine "is this login name member of groups X"
I think the string is wrong, and I try with this -f search options:
-f (&(CN=%u)(objectClass=person)(memberOf=CN=internetOK,OU=utenti,DC=advnet,DC=it)) -f (&(CN=%g)(objectClass=internetOk)(member=CN=%u))
The first looks fine for squid_ldap_auth
The second is incorrect in both the object class and member parts.
You said me to write this:
-f (&(CN=%g)(objectClass=groupOfPeople)(member=%u))
to squid_ldap_group yes, in combination with -F (capital F) having the exact same argument as you had to -f of squid_ldap_auth. But please verify the objectClass of the group objects in your directory.
I try to test a external helper squid_ldap_group from dos command line, but it doesn't work...
It does work from command line. This helper expects
username groupname
as input.
Regards Henrik
