[squid-users] LDAP search filter for FreeIPA

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 6 02:40:59 UTC 2022 

On 6/10/22 02:29, Djerk Geurts wrote:
> Hi,
> 
> I’ve got DLAP auth working against FreeIPA, but now I’m trying to get 
> LDAP group all controls working. Initially I used the local unix group 
> filter, which works great as the machine running Squid is able to query 
> group membership through pam. But then I found that nested group 
> membership didn’t work. So now I’m trying to query group membership via 
> LDAP and failing miserably.
> 
> My config:
> 
> auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b 
> "cn=users,cn=accounts,dc=DOMAIN,dc=COM" -D 
> "uid=squid-ldap,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM" 
> -W "/etc/squid/squid-ldap.cred" -u uid -H LDAPS://ipa.domain.com:636 
> <ldaps://ipa.domain.com:636>
> […]
> 

To clarify, does the above description mean login with this helper works 
fine?


 > external_acl_type ldap_group %LOGIN .../ext_ldap_group_acl \
 >   -v 3 \

FYI: LDAP v3 is the default. You should not need to set this.


 >   -b "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" \
 >   -f "(&(cn=%g)(member=uid=%u))" \
 > ...


You can add '-d' (lower case) to get a debug trace in cache.log about 
what is happening inside the helper.

You can use that to confirm the user/group details are arriving properly 
and the filter string is correct before it goes sent to LDAP.

Also, see whether LDAP is having connectivity issues, or search issues, 
or something else is going on.


FWIW, the above reads to me like you are looking up the existence of the 
group rather than the existence of a specific user within a group. My 
LDAP knowledge is weak, so I may be wrong about that.


> 
> This ldap search works fine:
> 
> user at ipa:~$ ldapsearch -x -D 'cn=Directory Manager' -W -b 
> "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" '(&(cn=proxy)(member=uid=user,*))'

I notice that there is an extra ',*' after the username in this filter 
string which is missing on the helper one.



> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=groups,cn=accounts,dc=DOMAIN,dc=COM> with scope subtree
> # filter: (&(cn=proxy)(member=uid=user,*))
> # requesting: ALL
> #

...

> 
> So how am I meant to set the filter of ext_ldap_group_acl?


FYI, what the Squid helpers do is replace the %g and %u values and pass 
the resulting string as the 'filter' to LDAP.

Meaning that the filter used by Squid should be the same as the 
ldapsearch filter would be if you were searching for username "%u" in 
group "%g".


Also, be aware that the filter string/pattern should be constructed in a 
way that correctly handles non-ASCII characters or whitespace if those 
are possible in your credentials and/or group names.


HTH
Amos

More information about the squid-users mailing list