[squid-users] ext_ldap_group_acl not working
alesironi
alesironi at yahoo.it
Thu Feb 4 16:19:32 UTC 2016
I performed additional testing using different helpers but nothing changed,
so decided to use alternative tools to bind AD. I used the tool ldapsearch
to verify that at least is possible to do a search on Active Directory and
it worked (it read all AD returning 271 objects).
/usr/bin/ldapsearch -x -h domcon.kidanemehret.local -D
squid at kidanemehret.local -W -b "dc=kidanemehret,dc=local" -s sub "(cn=*)" cn
mail sn
Enter LDAP Password
# extended LDIF
#
# LDAPv3
# base <dc=kidanemehret,dc=local> with scope subtree
# filter: (cn=*)/
...
...
...
I then run the query again using ext_ldap_group_acl and when asking to check
if a user (test-full) is member of the AD group Internet_Users_Full if
returns ERR instead then OK.
/usr/lib/squid3/ext_ldap_group_acl -R -K -b "OU=Service
Accounts,OU=USR,DC=kidanemehret,DC=local" -D squid at kidamemehret.local -w
mypassword -f
"(&(objectclass=person)(sAMAccountName=%u)(memberof=cn=Internet_Users_Full,ou=Service
Accounts,ou=USR,dc=kidanemehret,dc=local))" -h domcon.kidanemehret.local
-d
test-full
ERR
Of course test-full is is member of Internet_Users_Full and che cn of the
group is correct (verified in AD).
Additional strange thing (at least to me...) is that I may also use a wrong
password in the option -w and the result is the same: it's not returining an
authentication failure, just returnint ERR just like the user is not in the
group.
Note that I'm using the same account used in LDAPSEARCH to perform the
search.
Any hints?
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working-tp4675816p4675880.html
Sent from the Squid - Users mailing list archive at Nabble.com.
More information about the squid-users
mailing list