[squid-users] LDAP related question.

Dan Purgert dan at djph.net
Fri Jul 31 09:45:43 UTC 2015 

Quoting Eliezer Croitoru <eliezer at ngtech.co.il>:

> I wanted to test the ext_ldap_group_acl so I created a ldap domain.
> The command I am testing is:
> /usr/lib/squid3/ext_ldap_group_acl -b "DC=ngtech,DC=local" -D  
> "CN=admin,DC=ngtech,DC=local" -w "password" -f  
> "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,DC=ngtech,DC=local))" -h  
> 127.0.0.1


Looks like your command is a bit off.  Here's my LDAP one which works  
(some variant of squid3 -- I only have the config file on my local PC,  
and no over-the-internet access to this particular proxy, as at work).  
  Please note that I redacted the actual domain name, and replaced it  
with "example".

external_acl_type ldapgroup %LOGIN /usr/lib/squid3/ext_ldap_group_acl  
-b "ou=users,dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -W  
/etc/squid3/pass.in -f  
(&(objectClass=*)(uid=%u)(memberof=cn=%g,ou=ldapGroups,dc=example,dc=org)) -h  
ldap.example.org

I was having trouble with the object class myself ... but the LDAP  
group is small (like 30 people, and nothing else like printers or  
anything), so having a "too big" objectClass base isn't the end of the  
world.

then the acls are pretty simple:

acl ldap-kids external ldapgroup kids
acl ldap-parents external ldapgroup parents

acl allow [...] kids
acl deny kids all <-- not 100% sure this one is necessary, but I'm  
also not 100% certain how squid reacts to a couple "allow" rules,  
followed by "allow" rules for a different group, but this seems to work.

acl allow [...] parents
acl deny ad_sites parents all <-- death to ads ;)

acl deny all

>
> Now I have entered "user1 int" and it should to my understanding  
> reply with OK but it return ERR:
> user1 int
> ext_ldap_group_acl.cc(587): pid=27778 :Connected OK
> ext_ldap_group_acl.cc(726): pid=27778 :group filter  
> '(&(objectclass=person)(sAMAccountName=user1)(memberof=CN=int,DC=ngtech,DC=local))', searchbase  
> 'DC=ngtech,DC=local'
> ERR
>
>
> Now the ldap structure is like this:
> DC=ngtech, DC=local
> -> CN=int
> member-->user1
> -> OU=users
> --> CN=user1
> (Not such a great painter.)


I think you're missing an OU in there, my LDAP server is ordered like this:

dc=example,dc=org
|
-> ou=ldapGroups
||
|-> cn=kids
|-> cn=parents
|
-> ou=users
  |
  -> cn=[user1]
  -> cn=[user2]
  -> [...]

How did you create things?  I found that using ldif files caused  
trouble (or at least the ones from the examples I had), whereas just  
installing phpldapadmin and poking around got me up and running in  
almost no time flat.

> [snip]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4387 bytes
Desc: S/MIME Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150731/7ee2c75e/attachment.bin>

More information about the squid-users mailing list