[squid-users] Debian 7 LDAP auth to 2008r2

Amos Jeffries squid3 at treenet.co.nz
Thu Dec 18 09:01:44 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18/12/2014 11:28 a.m., Bert wrote:
> Man I just can't seem to make this work. I followed this guide:
> 
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
>
>
> 
and everything went well but as soon as I get to the
> squid_ldap_group test I get nothing back, or the second time I hit 
> enter it returns a "invalid entry" error.
> 
> /usr/lib/squid3/squid_ldap_group -R -K -S -b "dc=example,dc=local"
> -D squid at example.local -W /etc/squid3/ldappass.txt -f 
> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Security
>
> 
Groups,ou=MyBusiness,dc=example,dc=local))" -h dc1.example.local
> EXAMPLE\Username Internet%20Users%20Standard
> 
> Can anyone tell me what to look for as far as testing? I have run 
> this test with debug -d but that doesn't seem to return anything.
> My understanding of the command above is it's taking the basedn and
> a user name that I have setup and created a password for and
> attempting to query the AD server that is listed after the -h
> option. The part of the line I don't understand is cn=%g. No idea
> what might be plugged in there as "g" is not initialized anywhere.

%g is the group name being looked up.

acl .. external groupName1 groupName2 ...

> Based on the options returned after squid_ldap_group I think I get
> what's going on and the last two entries on the line are the
> queried username against the security groups I created in AD and
> the user I have been testing is a member of the internet users
> group. This seems pretty straight forward but I get nothing and so
> this query is basically the same in the squid.conf so if it doesn't
> work here it's obviously not going to work from a browser.
> 

The tutorial is a bit broken.

Firstly, it does not explain the "bug" causing group names to have to
be in files loaded by Squid external ACL is that the squid.conf parser
uses whitespace as reserved characters delimiting words.
The normal ACL syntax is:
  acl foo external memberof Group1Name Group2Name ...

It then recommends that -f parameter which contains whitespace
directly in squid.conf...


You need to replace "Security Groups" with "Security\ Groups" and if
that does not work by itself upgrade to a current Squid version.
Squid-3.4 or later should accept \-escapes in quoted strings.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUkpf3AAoJELJo5wb/XPRjLHAH/RhYmHXjlZFPPGzd02VpILIE
aVTacnsnauzQeLIUNH+EWjU5wCDN9byPE7kjC/h7yo3f1cirV2UIR7vw7s12SkVH
BWBNzdhNGe5uQsJ6al33USYKUeuVxdVhMJs6orJAQWzxgRK8xqktJFcDSivv+opN
5HmKXqBK4S1sXtGDzybu6lJzRC/ycZMAuDjT2Mbs5pF/Pw5eQd0KW9A5RE9DQT6q
HkCQl9B7HDhiYs0hMVVc7ayjcg//r+BVqI1Y5uEl+/AaUqkYjlQqiQG/Y+Ls2HrX
YIq2n6fzvrzSpE0drac7iyIM6RyGQ4Fh7LkCS8ae9mBNFI4nAZXYnldseReKVJA=
=e4Co
-----END PGP SIGNATURE-----


More information about the squid-users mailing list