Re: [squid-users] Squid Pre 2.5 and external ACLs

Yes, the different group objects have a member attribute, and they do have
other attributes identifying the group. So you can search on the combination
of the two.

  a) The attribute that identifies the group must match the group name Squid
is asking for
  b) The member attribute must somehow match the login name.

If the login name is not part of the member attribute then you are stuck and
the helper needs to be extended as appropriate to translate the login name to
a DN before the group membership lookup.

Another model of group constructs in LDAP is to create a subtree with
referrals to the persons. Sort of the same as an OU, except that it does not
by itself contain any data, only referrals to other LDAP locations. From what
I can tell the group helper should work just fine with this but I have not
tested it with such LDAP directory.

Regards
Henrik

Michael Fuller wrote:
> As far as I have noticed, the inetorgperson object in Openldap does not
> have an attribute for groups. It is the other way round. Groups have a
> member attribute. This is where I am stuck. Squid / LDAP authenticaion is
> done using username / password combination. How do I check the users group
> membership when there is no attribute in the object?
> Or do I search for the user in the member attribute of the group objects ?
>
> Regards,
> Michael Fuller
>
> ----- Original Message -----
> From: "Henrik Nordström" <hno@marasystems.com>
> To: "Michael Fuller" <fullerms@hotmail.com>
> Cc: "Squid Users" <squid-users@squid-cache.org>
> Sent: Tuesday, September 03, 2002 5:04 PM
> Subject: Re: [squid-users] Squid Pre 2.5 and external ACLs
>
> > The squid_ldap_group helper is pretty neutral on the subject. The helper
> > uses a LDAP search filter of choice including the username and group. If
> > the filter matches at least one object in your LDAP directory then the
> > user is assumed to be member of the requested group.
> >
> > This means that the same helper can match users within OU (provided you
> > are consistent and have a OU attribute on your users matching the OU they
> > belong to), or groups listing all members in a "members" attribute, or by
> > subtrees of referrals, or pretty much any other group design.
> >
> > A good LDAP tool to play with here is the ldapsearch command.
> >
> > Regards
> > Henrik
> >
> > On Tue, 3 Sep 2002, Michael Fuller wrote:
> > > As a matter of fact, the LDAP directory design has to be based on what
>
> Squid
>
> > > can do with it. Users will be organized by OUs and Groups. While OUs
>
> will
>
> > > reflect the actual department they work for, I intend to use groups to
> > > define access priveleges.
> > >
> > > Going through the Openldap documentation I see that there are two
> > > objectclasses to define groups - groupofnames and groupofuniquenames.
>
> Which
>
> > > one should I use ?
> > >
> > > Regards,
> > > Michael Fuller
Received on Tue Sep 03 2002 - 12:07:39 MDT