[squid-users] Group check against AD

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 28 00:09:14 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28/10/2014 6:26 a.m., masterx81 wrote:
> Hi! I'm trying to check if a user is present in a Group, and now
> i'm using the following config:
> 
> external_acl_type memberof ttl=30 %LOGIN 
> /usr/local/squid/libexec/ext_ldap_group_acl -v 3 -R -K -b 
> "dc=domain,dc=local" -D squid at domain.local -W
> /etc/squid/ldappass.txt -f 
> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=SQUID,ou=OU
>
> 
domain,dc=domain,dc=local))" -h srv-dc1.domain.local
> 
> It work, but has some limits, for example if a user is only in the
> group of interest it not pass (while adding a second Group that is
> the default Group it works). Also, if a user is on some "sub"
> groups it not work.
> 
> I've tried also the kerb helper (with kerb configured and keytab
> working), using shell commands it work, for example: 
> /usr/lib64/squid/ext_kerberos_ldap_group_acl -g "Internet libero"
> -D "DOMAIN.LOCAL" that converted in squid must be something like: 
> external_acl_type memberof ttl=30 %LOGIN 
> /usr/lib64/squid/ext_kerberos_ldap_group_acl -d -g "%g" -D
> "DOMAIN.LOCAL" works (on shell, i've not tried the second syntax on
> squid), but with the same limits.

This is not a group check. There are three parts to those.

1) The configuration for how the helper connects to LDAP and *where*
it looks for groups. What you have detailed above.

2) The group(s) to be checked is an "acl ... external memberof ..."
line later in your config file. Each entry there will be inserted in
the LDAP query where %g is used.

3) The timing of when to check it is an http_access or other access
list using that acl line even later in the config.


You are using %v in the filter for some reason. That is not a macro
supported by this helper and thus will be replaced with nothing.
I suspect you meant to be using %u instead - which is replaced on
lookups by the user name from %LOGIN.

See the -f option documentation:
<http://www.squid-cache.org/Versions/v3/3.4/manuals/ext_ldap_group_acl.html>

> 
> There is a way to at least have the user in only one Group (that is
> the default group)?

Having a user "in" a group is a property of the AD unrelated to Squid
or any of thise squid.conf settings. Squid is just doing a
lookup/query of the AD database using LDAP protocol.

I suspect with that %v mistake yoru rules are effectively telling LDAP
to query whether *any* object of objectclass=person exists in the
group. Which would normally be true of groups, so the first group
always returns a match on your lookups.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUTt6qAAoJELJo5wb/XPRjkg0H+wa45d4CtDzAHpKBRAhS8d4L
3oCft0R8rF2KlgHknWdG67qRSHZwSfyUvHfaCF7fbh1OHt6jPUDhjRt2d2z4oHUf
/VWwXsS/3O85PrRX8a4yUbMUutTRpTy0H7G20IUVqVhywUMbANLNPcNfwlb1y6s6
64lKrepGlkzmsOmudO6mYlFPxdhAPi8S+GKowgPFrzIoD1DSxy4RfYs/P7oqPEQN
UfTUFXmdooc+lsqjBjo3hSC8uP/mQ6ER/YrGZzp4sE1ZuASwzENos2ndphPRUFU+
k6YgbtiP+2VUSxy2r1Oarbjzd3niRlecSIDnWEu25HiRm6/axzDs1iuVQaYVmOc=
=hZqC
-----END PGP SIGNATURE-----

More information about the squid-users mailing list