Re: [squid-users] Fw: squid_ldap_group config

[Tim Neto]

Hello Kelly,
From the man page for squid_ldap_group:
 
-------------------------------------------------------------------------------------
      -f filter
             LDAP search filter used to search the  LDAP  directory  
for  any
             matching  group memberships.   In the filter %u will be 
replaced
             by the user login name (or DN if the -F or -u options are  
used)
             and %g by the requested group name.

      -F filter
             LDAP  search  filter  used  to search the LDAP directory 
for any
             matching users.   In the filter %s will be replaced by 
the  user
             login  name. If % is to be included literally in the 
filter then
             use %%.
 
-------------------------------------------------------------------------------------

The lower case dash f, "-f",  is a filter used to match group records 
from your LDAP database.

The upper cas dash F, "-F",  is a filter used to match user records from 
your LDAP database.

As for the definition I defined and used here at KCL, I allow two 
different styles of user name recognition when replying to a proxy 
challenge.  One is by the user's identifier (UID) the other is by the 
user's E-Mail address.

 
-------------------------------------------------------------------------------------
 external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h ldap.komatsu.ca -p 389 -P -b 
o=komatsu -F "(|(uid=%s)(mail=%s))" -f 
"(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))"
 
-------------------------------------------------------------------------------------
If your LDAP schema uses a different tag for the user identifier than 
"uid", you may want to consider using the "-F" option.

Hope this helps.  Sorry for the delayed reply.  Last week became quite 
busy...

Tim
-----------------------------------------------------------
Timothy E. Neto
Computer Systems Engineer         Komatsu Canada Limited
Ph#: 905-625-6292 x265            1725B Sismet Road
Fax: 905-625-6348                 Mississauga, Canada
E-Mail: [EMAIL PROTECTED]          L4W 1P9
-----------------------------------------------------------

[EMAIL PROTECTED] wrote:

Hi Tim -
Looking over what you sent me, I have made a few changes.
First, I have taken port 21 out of Safe_ports, since I don't want free
access to FTP downloads.
What is going on in your squid_ldap_auth line?  what is the difference
between "-F" and "-f"?  the man page does not even mention -F.
I have modified my set thus far:
------------
external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b
ou=techsvc,o=gps -D cn=squid,ou=global,o=gps -w <pass> -f
"(&(cn=%s)(groupMembership=cn=RestrictedInternetAccess,ou=techsvc,o=gps))"
-h FS-GPS1.GPS
acl Restricted port 20 21 1025-65535
acl RestrictedUsers external ldap_group RestrictedInternetAccess
acl OpenUsers external ldap_group InternetAccess
http_access allow Restricted OpenUsers
http_access deny !Safe_ports
------------
Am I doing something wrong with the external_acl_type line?
Kelly Connor
Network Technician
Gilbert Unified School District
[EMAIL PROTECTED]