Organisational units are not groups, they are subtrees in the LDAP structure.
Groups is typically made of groupOfNames objects having a member attribute listing the members of the group. The easiest way to match organisational units is if the ou name is kept in an attribute of the user object. In such case the filter becomes external_acl_type ldap_ou %LOGIN /usr/local/squid/libexec/squid_ldap_group -d -P -b dc=rusautogaz,dc=ru -f (&(uid=%v)(ou=%a)(objectClass=Person)) -h 172.16.6.1 -p 389 But it should also be possible to match on the dn such as in this example: external_acl_type ldap_ou %LOGIN /usr/local/squid/libexec/squid_ldap_group -d -P -b dc=rusautogaz,dc=ru -f (&(dn=uid=%v,ou=%a,dc=rusautogaz,dc=ru)(objectClass=Person)) -h 172.16.6.1 -p 389 Regards Henrik On Thursday 27 March 2003 07.48, Mark wrote: > Hi > I have some problems configuring authentication of ldap users > group. Authentication from squid_ldap_auth fine, but if I attempt > add authentication with group - fail. > > dn: uid=sysadmin,ou=uit,dc=rusautogaz,dc=ru > cn:: 0JrRgNC40YfQvNCw0YAg0JzQsNGA0Log0JzQuNGF0LDQudC70L7QstC40Yc= > > dn: ou=uit,dc=rusautogaz,dc=ru > objectClass: top > objectClass: organizationalUnit > ou: uit > > -- squid.conf -- > auth_param basic program /usr/local/squid/libexec/squid_ldap_auth > -P -b dc=rusautogaz,dc=ru -D cn=Manager,dc=rusautogaz,dc=ru -w > password -f (&(uid=%s)(description=active)) -h 172.16.6.1:389 > > external_acl_type ldap_group %LOGIN > /usr/local/squid/libexec/squid_ldap_group -d -P -b > dc=rusautogaz,dc=ru -f > (&(uid=%v)(member=%a)(objectClass=organizationalUnit)) -h > 172.16.6.1 -p 389 > > acl admin external ldap_group uit > > http_access allow admin > > ------------- > > Anybody help me
