Joachim JS. Schuster wrote:
Dear squid users, I need help about my authentifaction problem with squid_ldap_group.
first i create a entry for squid_ldap_auth. i can login and i have web access and it works fine.
auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b "dc=mb,dc=local" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -f "(&(sAMAccountName=%s)(objectClass=Person))" -h 192.168.3.1 acl USERS proxy_auth REQUIRED
http_access allow USERS
in the next step i create this lines for my ldap group access.
external_acl_type ldapgroup concurrency=15 %LOGIN /usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f "(&(cn=%g)(member=%u))" -F "(&(sAMAccountName=%s)(objectClass=Person))" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1
acl ldapproxygroup external ldapgroup webaccess
http_access allow ldapproxygroup
i can login but i have no webaccess. i see the 407 error access denied in squid conf.
when i execute
heins:~ # /usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f "(&(cn=%g)(member=%u))" -F "(&(sAMAccountName=%s)(objectClass=Person))" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1 cwm webaccess OK
i get ok but the user cwm can�t use the proxy.
Can you quote some of the logs that shows the problem? Is the username in the logs exactly as you are typing it on the command line? What I am getting at is that it might have the domain name attached to the username in which case you need the -S option for squid_ldap_group.
Regards, Oliver
Sorry im am new in this list. On wich way i must contact you ? By your mail adresse or over a [email protected] ?
The access.log entries: 1105494666.537 0 192.168.5.2 TCP_DENIED/407 2470 GET http://www.google.de/ - NONE/- text/html 1105494675.258 24 192.168.5.2 TCP_DENIED/403 2217 GET http://www.google.de/ cwm NONE/- text/html
The username cwm ist correct. I can add more users to the webaccess. I checked all the new users with the comandline below and the test ist ok.
/usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f "(&(cn=%g)(member=%u))" -F "(&(sAMAccountName=%s)(objectClass=Person))" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1
Regards Joachim
Sorry, my mail program doesn't automatically reply to the list - yes you should reply to the list unless you want to converse directly with one of the members.
The only thing I could suggest is trying the -S parameter anyway. I don't know any really good ways to find out what is happening, unless you can write a test-program to replace squid_ldap_group that logs what options and input were passed to it. It either works or it doesn't!
Regards, Oliver
