<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi,<br class=""><br class="">I’ve got DLAP auth working against FreeIPA, but now I’m trying to get LDAP group all controls working. Initially I used the local unix group filter, which works great as the machine running Squid is able to query group membership through pam. But then I found that nested group membership didn’t work. So now I’m trying to query group membership via LDAP and failing miserably.<br class=""><br class="">My config:<br class=""><br class="">auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b "cn=users,cn=accounts,dc=DOMAIN,dc=COM" -D "uid=squid-ldap,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM" -W "/etc/squid/squid-ldap.cred" -u uid -H <a href="ldaps://ipa.domain.com:636" class="">LDAPS://ipa.domain.com:636</a><br class="">[…]<br class=""><br class="">external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -v 3 -b "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" -D "uid=squid-ldap,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM" -W "/etc/squid/squid-ldap.cred" -f "(&(cn=%g)(member=uid=%u))" -H <a href="ldaps://ipa.domain.com:636" class="">LDAPS://ipa.domain.com:636</a><br class=""><br class=""><br class="">This ldap search works fine:<div class=""><br class=""></div><div class=""><div class="">user@ipa:~$ ldapsearch -x -D 'cn=Directory Manager' -W -b "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" '(&(cn=proxy)(member=uid=user,*))'</div><div class="">Enter LDAP Password:</div><div class=""># extended LDIF</div><div class="">#</div><div class=""># LDAPv3</div><div class=""># base <cn=groups,cn=accounts,dc=DOMAIN,dc=COM> with scope subtree</div><div class=""># filter: (&(cn=proxy)(member=uid=user,*))</div><div class=""># requesting: ALL</div><div class="">#</div><div class=""><br class=""></div><div class=""># proxy, groups, accounts, <a href="http://ipnexia.com" class="">ipnexia.com</a></div><div class="">dn: cn=proxy,cn=groups,cn=accounts,dc=ipnexia,dc=com</div><div class="">member: uid=user,cn=users,cn=accounts,dc=ipnexia,dc=com</div><div class="">memberOf: cn=proxyuser,cn=groups,cn=accounts,dc=ipnexia,dc=com</div><div class="">cn: proxy</div><div class="">objectClass: top</div><div class="">objectClass: groupofnames</div><div class="">objectClass: nestedgroup</div><div class="">objectClass: ipausergroup</div><div class="">objectClass: ipaobject</div><div class="">objectClass: GroupOfUniqueNames</div><div class="">objectClass: posixgroup</div><div class="">ipaUniqueID: ******</div><div class="">gidNumber: ******</div><div class=""><br class=""></div><div class=""># search result</div><div class="">search: 2</div><div class="">result: 0 Success</div><div class=""><br class=""></div><div class=""># numResponses: 2</div><div class=""># numEntries: 1</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">So how am I meant to set the filter of ext_ldap_group_acl? Most FreeIPA and Squid information centers around using Kerberos (and SSO) but the clients I’m dealing with here are not tied to FreeIPA thus Kerberos is not an option.</div><div class=""><br class=""></div><div class=""><a href="https://docs.oracle.com/cd/E88353_01/html/E72487/ext-ldap-group-acl-8.html" class="">https://docs.oracle.com/cd/E88353_01/html/E72487/ext-ldap-group-acl-8.html</a> </div></div></body></html>