Joachim JS. Schuster wrote:
-----Ursprüngliche Nachricht-----
Von: Oliver Hookins [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 12. Januar 2005 01:07
An: squid-users@squid-cache.org
Cc: Joachim JS. Schuster
Betreff: Re: [squid-users] authentication problem with squid_ldap_group
Joachim JS. Schuster wrote:
Joachim JS. Schuster wrote:
Dear squid users,
I need help about my authentifaction problem with squid_ldap_group.
first i create a entry for squid_ldap_auth. i can login and i have web
access and it works fine.
auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b
"dc=mb,dc=local" -D "cn=squid,cn=users,dc=mb,dc=local" -w secret1998
-f "(&(sAMAccountName=%s)(objectClass=Person))" -h 192.168.3.1 acl
USERS proxy_auth REQUIRED
http_access allow USERS
in the next step i create this lines for my ldap group access.
external_acl_type ldapgroup concurrency=15 %LOGIN
/usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f
"(&(cn=%g)(member=%u))" -F
"(&(sAMAccountName=%s)(objectClass=Person))" -D
"cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1
acl ldapproxygroup external ldapgroup webaccess
http_access allow ldapproxygroup
i can login but i have no webaccess. i see the 407 error access denied
in squid conf.
when i execute
heins:~ # /usr/sbin/squid_ldap_group -P -R -b
"ou=intern,dc=mb,dc=local" -f "(&(cn=%g)(member=%u))" -F
"(&(sAMAccountName=%s)(objectClass=Person))" -D
"cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1 cwm
webaccess OK
i get ok but the user cwm can´t use the proxy.
Can you quote some of the logs that shows the problem? Is the username
in the logs exactly as you are typing it on the command line? What I am
getting at is that it might have the domain name attached to the
username in which case you need the -S option for squid_ldap_group.
Regards,
Oliver
Sorry im am new in this list. On wich way i must contact you ? By your
mail adresse or over a squid-users@squid-cache.org ?
The access.log entries:
1105494666.537 0 192.168.5.2 TCP_DENIED/407 2470 GET http://www.google.de/
- NONE/- text/html
1105494675.258 24 192.168.5.2 TCP_DENIED/403 2217 GET http://www.google.de/
cwm NONE/- text/html
The username cwm ist correct. I can add more users to the webaccess. I
checked all the new users with the comandline below and the test ist
ok. /usr/sbin/squid_ldap_group -P -R -b "ou=intern,dc=mb,dc=local" -f
"(&(cn=%g)(member=%u))" -F
"(&(sAMAccountName=%s)(objectClass=Person))" -D
"cn=squid,cn=users,dc=mb,dc=local" -w secret1998 -h 192.168.3.1
Regards
Joachim
Sorry, my mail program doesn't automatically reply to the list - yes you
should reply to the list unless you want to converse directly with one
of the members.
The only thing I could suggest is trying the -S parameter anyway. I
don't know any really good ways to find out what is happening, unless
you can write a test-program to replace squid_ldap_group that logs what
options and input were passed to it. It either works or it doesn't!
Regards,
Oliver
Do you mean the -S (Strip NT domain from usernames)parameter ?
Regards
Joachim
Yes.
Oliver