Re: [squid-users] squid_ldap_group and Active Directory

tor 2003-09-04 klockan 14.54 skrev fdfhf gjgjj:
> Thank you very much Henrik....
>
> - I have read the man page and test a new command line (i'm trying first
> this option).
>
> I want to test an authentication with a user who belong to an internetaccess
> group...

Then you should start with squid_ldap_auth. When you have
squid_ldap_auth running correctly you can move on to squid_ldap_group
for the group membership lookup.

The normal operations of squid_ldap_auth is

0. Optionally bind (login) as a dummy user (by DN) if anonymous searches
is disallowed in the directory (-D+-W arguments)
1. Search for the user in the directory based on the login name (-f
argument)
2. Log in as the user located in step 2 to verify the password

The normal operations of squid_ldap_group is

0. Optionally bind (login) as a dummy user (by DN) if anonymous searches
is disallowed in the directory (-D+-W arguments)
1. Search for the user in the directory (-F argument with the same data
as -f to squid_ldap_auth)
2. Search for the group in the directory and verify that the user is
member of the group (-f argument).

As you can see squid_ldap_group builds on the same LDAP operations as
squid_ldap_auth, so to get squid_ldap_group running you must first have
squid_ldap_auth running correctly.

It is strongly recommended to play around a little with the ldapsearch
tool to explore the operations of LDAP and how to search for things
(i.e. users or groups) before trying to get
squid_ldap_auth/squid_ldap_group to run unless one knows exacly the
details of the directory.

LDAP search filters are quite simple in principle but uses a different
syntax than most other things in this world so it takes a couple of
attempts before one understands the filters correctly. The ldapsearch
tool also allows one to try binding to the directory

Basic syntax of LDAP filters are

  (<operation>(condition1)(condition1)(...))

and in most cases the operation to use is "AND" (& in LDAP syntax)

giving the typical filter syntax:

  (&(attribute1=value1)(attribute2=value2)(...))

LDAP as such consists of objects named by their DN and each object has a
list of attributes. Searches can search for attribute/value combinations
(for example where the login attribute is equal to the login name looked
for), and will return the DN of each matching object in the directory
and optionally selected attributes from these objects.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com