[squid-users] LDAP search filter for FreeIPA
Djerk Geurts
djerkg at gmail.com
Wed Oct 5 13:29:44 UTC 2022
Hi,
I’ve got DLAP auth working against FreeIPA, but now I’m trying to get LDAP group all controls working. Initially I used the local unix group filter, which works great as the machine running Squid is able to query group membership through pam. But then I found that nested group membership didn’t work. So now I’m trying to query group membership via LDAP and failing miserably.
My config:
auth_param basic program /usr/lib/squid/basic_ldap_auth -v 3 -b "cn=users,cn=accounts,dc=DOMAIN,dc=COM" -D "uid=squid-ldap,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM" -W "/etc/squid/squid-ldap.cred" -u uid -H LDAPS://ipa.domain.com:636 <ldaps://ipa.domain.com:636>
[…]
external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl -v 3 -b "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" -D "uid=squid-ldap,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=COM" -W "/etc/squid/squid-ldap.cred" -f "(&(cn=%g)(member=uid=%u))" -H LDAPS://ipa.domain.com:636 <ldaps://ipa.domain.com:636>
This ldap search works fine:
user at ipa:~$ ldapsearch -x -D 'cn=Directory Manager' -W -b "cn=groups,cn=accounts,dc=DOMAIN,dc=COM" '(&(cn=proxy)(member=uid=user,*))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=accounts,dc=DOMAIN,dc=COM> with scope subtree
# filter: (&(cn=proxy)(member=uid=user,*))
# requesting: ALL
#
# proxy, groups, accounts, ipnexia.com
dn: cn=proxy,cn=groups,cn=accounts,dc=ipnexia,dc=com
member: uid=user,cn=users,cn=accounts,dc=ipnexia,dc=com
memberOf: cn=proxyuser,cn=groups,cn=accounts,dc=ipnexia,dc=com
cn: proxy
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: GroupOfUniqueNames
objectClass: posixgroup
ipaUniqueID: ******
gidNumber: ******
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
So how am I meant to set the filter of ext_ldap_group_acl? Most FreeIPA and Squid information centers around using Kerberos (and SSO) but the clients I’m dealing with here are not tied to FreeIPA thus Kerberos is not an option.
https://docs.oracle.com/cd/E88353_01/html/E72487/ext-ldap-group-acl-8.html <https://docs.oracle.com/cd/E88353_01/html/E72487/ext-ldap-group-acl-8.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221005/499bdf57/attachment.htm>
More information about the squid-users
mailing list