[squid-users] please help me test ext_ldap_group_acl from command line
Amos Jeffries
squid3 at treenet.co.nz
Tue Jul 28 20:55:30 UTC 2015
On 29/07/2015 5:56 a.m., Amos Jeffries wrote:
> On 29/07/2015 4:01 a.m., Marko Cupać wrote:
>> Hi,
>>
>> I am testing ext_ldap_group_acl from command line in squid-3.5.6 on
>> FreeBSD 10.1-RELEASE-p15 amd64, but I can't make it work with Active
>> Directory.
>>
>> My query is as follows:
>> ./ext_ldap_group_acl -d -b "DC=mimar,DC=rs" \
>> -f "CN=squid_noaccess" -d ldapbinder at mimar.rs -W "mypass" \
>> -h dc1.mimar.rs
>>
>> After I type user and group name I get:
>> pacija squid_noaccess
>> ext_ldap_group_acl.cc(579): pid=1550 :Connected OK
>> ext_ldap_group_acl.cc(718): pid=1550 :group filter 'CN=squid_noaccess', searchbase 'DC=mimar,DC=rs'
>> ext_ldap_group_acl: WARNING: LDAP search error 'Operations error'
>> ERR
>>
>> If I understand well, if user pacija is a member of squid_noaccess
>> group, correctly construed query should give me OK. How do I achieve
>> this?
>
> Start by typing in the input using external ACL helpers input format.
> I assume your squid.conf uses %LOGIN. Which is actually user:password
>
> Notice the colon.
Oops. Sorry, looked in the wrong formatter. It is just username like you
had.
But no group name unless the group is explicitly named in the 'acl ...
external ...' line parameters.
This bit still applies though:
>
> Follow that by running the helper as Squid low-privileged user account.
> There's no gain testing that admin account can access things. You want
> it working when run by Squid.
And maybe alter the -f parameter value to tell it where to find the %u
(username).
Amos
More information about the squid-users
mailing list