Re: [squid-users] squid_ldap_group authentication against Active

On Thu, 18 Dec 2003, Keppner, Christoph wrote:

> I know so far, that squid_ldap_group is the right program, but how do i use
> it? In a mail from Henrik Nordstrom, there was this description:

squid_ldap_group is used via the external_acl_type directive. See the
manual (yes there is a manual for squid_ldap_group).

> > 0. Optionally bind (login) as a dummy user (by DN) if anonymous
> > searches is disallowed in the directory (-D+-W arguments)
> > 1. Search for the user in the directory (-F argument with the same data
> > as -f to squid_ldap_auth)
> > 2. Search for the group in the directory and verify that the user is
> > member of the group (-f argument).
>
> How must the -f argument looks like?!?

The manual has some good hints on this. The purpose of the -f argument to
squid_ldap_group is similar to the purpose of the -f argument to
squid_ldap_auth but looking for a matching group rather than a matching
user.

Usually this looks like

-f "(&(cn=%g)(member=%u)(objectClass=groupOfNames ))"

asking the helper to search for a groupOfNames with the group name as cn
and the user DN as member. Should probably make this the default when -F
is specified.

The user DN is looked up by the -F argument in the same manner as the -f
argument to squid_ldap_auth.

Regards
Henrik