[squid-users] Group check against AD

masterx81 gecom at tubosider.it
Mon Oct 27 17:26:15 UTC 2014


Hi!
I'm trying to check if a user is present in a Group, and now i'm using the
following config:

external_acl_type memberof ttl=30 %LOGIN
/usr/local/squid/libexec/ext_ldap_group_acl -v 3 -R -K -b
"dc=domain,dc=local" -D squid at domain.local -W /etc/squid/ldappass.txt -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=SQUID,ou=OU
domain,dc=domain,dc=local))" -h srv-dc1.domain.local

It work, but has some limits, for example if a user is only in the group of
interest it not pass (while adding a second Group that is the default Group
it works). Also, if a user is on some "sub" groups it not work.

I've tried also the kerb helper (with kerb configured and keytab working),
using shell commands it work, for example:
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g "Internet libero" -D
"DOMAIN.LOCAL"
that converted in squid must be something like:
external_acl_type memberof ttl=30 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -d -g "%g" -D "DOMAIN.LOCAL"
works (on shell, i've not tried the second syntax on squid), but with the
same limits.

There is a way to at least have the user in only one Group (that is the
default group)?
Thanks!




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Group-check-against-AD-tp4668078.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list