[squid-users] SOLVED: ext_ldap_group_acl

[Roberto Nunnari]

Hello.

 

I just solved myself this problem. It was my mistake with the filters.

Here’s how it goes :

 

/usr/lib64/squid/ext_ldap_group_acl -R -b "dc=my,dc=domain" -D
"squid at my.domain" -W /etc/squid/ldappass.txt -f
"(&(sAMAccountName=%u)(memberof:1.2.840.113556.1.4.1941:=CN=%g,DC=my,dc=doma
in)(objectClass=user))" -h mydc.my.domain

 

That ‘:1.2.840.113556.1.4.1941:’ will cause a recursive lookup until it
finds a user. Useful when the user is not directly member of that group, but
is member of a group that is member of that group.

 

Best regards.

Robi

 

 

Da: squid-users <squid-users-bounces at lists.squid-cache.org> Per conto di
Roberto Nunnari
Inviato: lunedì, 10 agosto 2020 10:41
A: squid-users at lists.squid-cache.org
Oggetto: [squid-users] ext_ldap_group_acl

 

Hello.

 

I’m setting up squid on a CentOS 8 server.

Authentication against active directory works well with basic_ldap_auth, but
I fail when trying to check that a user belongs to a group.

It seems to me that for ext_ldap_group_acl it’s enough that both the user
and the group exist and it returns OK. It returns ERR when it cannot find
the group or the user.

 

To make it more clear, here are the queries and results I get.

user1.test exists and is a member of group My_Group

user2.test exists and is NOT a member of group My_Group

Group asdf does NOT exist

 

So, I expect that when asking for

-          user1.test My_Group >> OK

-          user2.test My_Group >> ERR

But I get:

-          user1.test My_Group >> OK

-          user2.test My_Group >> OK

 

Here it is:

 

# /usr/lib64/squid/ext_ldap_group_acl -d -R -b "dc=my,dc=domain" -D
"squid at my.domain <mailto:squid at my.domain> " -W /etc/squid/ldappass.txt -F
"(sAMAccountName=%s)" -f "(memberof=CN=%g,DC=my,DC=domain)" -h
sv-102-dc.my.domain

user1.test asdf

ext_ldap_group_acl.cc(589): pid=194302 :Connected OK

ext_ldap_group_acl.cc(772): pid=194302 :user filter
'(sAMAccountName=user1.test)', searchbase 'dc=my,dc=domain'

ext_ldap_group_acl.cc(736): pid=194302 :group filter
'(memberof=CN=asdf,DC=my,DC=domain)', searchbase 'dc=my,dc=domain'

ERR

user1.test My_Group

ext_ldap_group_acl.cc(589): pid=194302 :Connected OK

ext_ldap_group_acl.cc(772): pid=194302 :user filter
'(sAMAccountName=user1.test)', searchbase 'dc=my,dc=domain'

ext_ldap_group_acl.cc(736): pid=194302 :group filter '(memberof=CN=My_Group,
DC=my,DC=domain)', searchbase 'dc=my,DC=domain'

OK

user2.test My_Group

ext_ldap_group_acl.cc(589): pid=194302 :Connected OK

ext_ldap_group_acl.cc(772): pid=194302 :user filter
'(sAMAccountName=user2.test)', searchbase 'dc=my,dc=domain'

ext_ldap_group_acl.cc(736): pid=194302 :group filter '(memberof=CN=My_Group,
DC=my,DC=domain)', searchbase 'dc=my,DC=domain'

OK

 

My env:

# uname -rms

Linux 4.18.0-193.14.2.el8_2.x86_64 x86_64

# rpm -qa | grep squid

squid-4.4-8.module_el8.2.0+319+d18e041f.1.x86_64

 

Could any kind soul help me out?

 

Thank you and best regards.

Robi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200810/d445ec50/attachment.htm>