[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] squid_ldap_group
From: "Gonzalo Morera" <gmorera () novell ! com>
Date: 2011-01-31 15:48:55
Message-ID: 4D46D9E70200001F00094DF8 () vpn ! id2 ! novell ! com
[Download RAW message or body]
In case somebody is interested, indeed changing the query made it work. Now \
username/password in the browser works fine and users are correctly authenticated
Thanks
Gonzalo
> > > Gonzalo Morera 31/1/2011 11:24 AM >>>
I've found an old post taking about edirectory, so i modified the query like that:
usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio \
-s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=cn=%g,o=laboratorio))" -h \
192.168.0.205 -p 389
and now just entering username groupname shows OK.
So it looks like on the ldap filter, for the groupname i had to specify manually the \
context where it is, even if it is under the search base.
Now i have to test it on the browser login page.
Thanks
Gonzalo
> > > "Gonzalo Morera" <gmorera@novell.com> 31/1/2011 10:32 AM >>>
I saw now that if i enter the query on the bash:
usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio \
-s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389
when cursor blinks i enter:
username group
Then i've got squid_ldap_group Warning, ldap search error "invalid dn syntax"
So it looked like the query sent is incorrect. But if i enter:
username cn=groupname,o=context
Then i';ve got Connected OK and groupfilter OK
So it looks like this is my issue, the query sent is incorrect. From bash i can \
easily modify it and add cn=group,o=context to perform the search but how can i apply \
that to the acl? here im lost.
Thanks a lot
Gonzalo
> > > "Gonzalo Morera" <gmorera@novell.com> 31/1/2011 09:45 AM >>>
Hi all
After getting familiar with the squid_ldap_auth, i'm still having some issues with \
squid_ldpa_groups. I'm getting familiar with squid acl ( i've been working last years \
with novell bordermanager what is quiet different) and i can not make it work I've \
got two groups, internet_r and internet_nr.
I'm using a pl file to allows users with the novell client installed, transparently \
access internet. That works fine as the pl scrip gets the network ip address of the \
client. But, with no novell client install, the default ldap_auth method has to be \
used, so users get a log in page to enter name and password. After done it, same page \
appears and after 3 times and access denied is seen. No matter if i use a user on \
group internet_r (with access) or internet _nr ( no access) the results are the same. \
THe login page keeps returning till the access denied. so i'm doing something wrong \
with squid_ldap_group and acl. Looking at lan traces, i saw nothing and access.log \
file showed no errors, only the url user wanted to go. Var/log/message showed as well \
no indication of any error. So how can i see in more details what is happening?
This is my squid.conf
#Recommended minimum configuration:
auth_param basic program /usr/sbin/squid_ldap_auth -Z -D cn=squid,o=laboratorio -w \
novell -b o=laboratorio -s sub -f "(&(objectclass=User)(cn=%s))" -h 192.168.0.205 -p \
389 auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
#Default:
# none
#external_acl_type directory_group %LOGIN /usr/sbin/squid_ldap_group -R -b \
"ou=servicios,o=laboratorio" -D "cn=admin,o=laboratorio" -w "synergy" -f \
(&(objectClass=person)(uid=%v)(groupMembership=cn=%a,ou=servicios,o=laboratorio))" -h \
192.168.0.205 -p 389 #
external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl
#
#este vale external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -R -b \
"o=laboratorio" -D "cn=squid,o=laboratorio" -w "novell" -f \
(&(objectClass=inetOrgPerson)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389
external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -Z -D \
cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f \
"(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389
Message looks good when loading:
Jan 27 12:26:59 oes2sp1 squid[11312]: Squid Parent: child process 11314 started
Jan 27 12:26:59 oes2sp1 squid[11314]: Starting Squid Cache version 2.5.STABLE12 for \
i686-pc-linux-gnu...
Jan 27 12:26:59 oes2sp1 squid[11314]: Process ID 11314
Jan 27 12:26:59 oes2sp1 squid[11314]: With 4096 file descriptors available
Jan 27 12:26:59 oes2sp1 squid[11314]: DNS Socket created at 0.0.0.0, port 32788, FD 6
Jan 27 12:26:59 oes2sp1 squid[11314]: Adding nameserver 192.168.0.26 from \
/etc/resolv.conf
Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 8 'squidGuard' \
processes
Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_auth' \
processes
Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 \
'squid_edir_iplookup.pl' processes
Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 \
'squid_ldap_group' processes
Jan 27 12:27:00 oes2sp1 squid[11314]: User-Agent logging is disabled.
Jan 27 12:27:00 oes2sp1 squid[11314]: Referer logging is disabled.
Jan 27 12:27:01 oes2sp1 squid[11314]: Unlinkd pipe opened on FD 34
Jan 27 12:27:01 oes2sp1 squid[11314]: Swap maxSize 1048576 KB, estimated 80659 \
objects
Jan 27 12:27:01 oes2sp1 squid[11314]: Target number of buckets: 4032
Jan 27 12:27:01 oes2sp1 squid[11314]: Using 8192 Store buckets
Jan 27 12:27:01 oes2sp1 squid[11314]: Max Mem size: 102400 KB
Jan 27 12:27:01 oes2sp1 squid[11314]: Max Swap size: 1048576 KB
Jan 27 12:27:01 oes2sp1 squid[11314]: Local cache digest enabled; rebuild/rewrite \
every 3600/3600 sec
Jan 27 12:27:01 oes2sp1 squid[11314]: Rebuilding storage in /var/cache/squid (DIRTY)
Jan 27 12:27:01 oes2sp1 squid[11314]: Using Least Load store dir selection
Jan 27 12:27:01 oes2sp1 squid[11314]: Set Current Directory to /var/cache/squid
Jan 27 12:27:01 oes2sp1 squid[11314]: Loaded Icons.
Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting HTTP connections at 0.0.0.0, port \
3128, FD 36.
Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting ICP messages at 0.0.0.0, port 3130, \
FD 37.
Jan 27 12:27:01 oes2sp1 squid[11314]: HTCP Disabled.
Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting SNMP messages on port 3401, FD 38.
Jan 27 12:27:01 oes2sp1 squid[11314]: WCCP Disabled.
Jan 27 12:27:02 oes2sp1 squid[11314]: Ready to serve requests.
Jan 27 12:27:02 oes2sp1 squid[11314]: Done reading /var/cache/squid swaplog (1864 \
entries)
Jan 27 12:27:02 oes2sp1 squid[11314]: Finished rebuilding storage from disk.
Jan 27 12:27:02 oes2sp1 squid[11314]: 1864 Entries scanned
Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Invalid entries.
Jan 27 12:27:02 oes2sp1 squid[11314]: 0 With invalid flags.
Jan 27 12:27:02 oes2sp1 squid[11314]: 1864 Objects loaded.
Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Objects expired.
Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Objects cancelled.
Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Duplicate URLs purged.
Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Swapfile clashes avoided.
Jan 27 12:27:02 oes2sp1 squid[11314]: Took 1.7 seconds (1096.5 objects/sec).
Jan 27 12:27:02 oes2sp1 squid[11314]: Beginning Validation Procedure
Jan 27 12:27:02 oes2sp1 squid[11314]: Completed Validation Procedure
Jan 27 12:27:02 oes2sp1 squid[11314]: Validated 1864 Entries
Jan 27 12:27:02 oes2sp1 squid[11314]: store_swap_size = 27684k
Jan 27 12:27:03 oes2sp1 squid[11314]: storeLateRelease: released 0 objects
Thanks a lot
gonzalo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic