[squid-users] Issues with authentication in Squid3

Marcio Demetrio Bacci marciobacci at gmail.com
Thu Dec 10 09:24:02 UTC 2015 

Hi,

My problem with Squid 3.4.8 is the following :

The ext_ldap_group_acl locates the user group of a user, but even if find
the first group (eg "administrators") in which the user is a member
continue to search for all groups that the user is a member, so
authenticate the user only in his last group, in the my case is the Domain
Users group.

This way, only rules to Domain Users is working in my Squid Server. Rules
to admins users and others do not work.

I have the message in  /var/log/squid3/cache.log:

2015/12/10 06:36:33 kid1| helperOpenServers: Starting 1/50
'basic_ldap_auth' processes
ext_ldap_group_acl.cc(583): pid=24059 :Connected OK
ext_ldap_group_acl.cc(722): pid=24059 :group filter
'(&(objectclass=person)(sAMAccountName=ze)(memberof=cn=webadmins,DC=empresa,DC=com,DC=br
))', searchbase 'DC=empresa,DC=com,DC=br'
2015/12/10 06:36:34 kid1| Starting new redirector helpers...
2015/12/10 06:36:34 kid1| helperOpenServers: Starting 1/20 'squidGuard'
processes
ext_ldap_group_acl.cc(583): pid=24059 :Connected OK
ext_ldap_group_acl.cc(722): pid=24059 :group filter
'(&(objectclass=person)(sAMAccountName=ze)(memberof=cn=webliberados,DC=empresa,DC=com,DC=br
))', searchbase 'DC=empresa,DC=com,DC=br'
ext_ldap_group_acl.cc(583): pid=24060 :Connected OK
ext_ldap_group_acl.cc(722): pid=24060 :group filter
'(&(objectclass=person)(sAMAccountName=ze)(memberof=cn=domain%20users,DC=empresa,DC=com,DC=br))',
searchbase 'DC=empresa,DC=com,DC=br'
2015/12/10 06:38:04 kid1| Starting new redirector helpers...


Here is my squid.conf

http_port 3128
cache_mem 512 MB
cache_swap_low 80
cache_swap_high 90
maximum_object_size 512 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
quick_abort_min -1 KB
detect_broken_pconn on
fqdncache_size 1024
refresh_pattern ^ftp:    1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%     0
refresh_pattern .        0    20%    4320
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_dir aufs /var/spool/squid3 600 16 256

auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br -w
12345 -h 192.168.0.25 -p 389 -s sub -v 3 -f "sAMAccountName=%s"
auth_param basic children 50
auth_param basic realm Proxy Server Squid
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

external_acl_type ad_group %LOGIN /usr/lib/squid3/ext_ldap_group_acl -d -R
-b DC=empresa,DC=com,DC=br -D proxy at empresa.com.br -w 12345 -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,DC=empresa,DC=com,DC=br
))" -h 192.168.0.25

visible_hostname proxy.empresa.com.br
acl localhost src 192.168.0.1/32
acl SSL_ports port 22 443 563
acl Safe_ports port 21
acl Safe_ports port 70
acl Safe_ports port 80
acl Safe_ports port 88
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 389
acl Safe_ports port 443
acl Safe_ports port 464
acl Safe_ports port 488
acl Safe_ports port 563
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
acl grupo_admins external ad_group webadmins
acl grupo_liberado external ad_group webliberados
acl grupo_restrito external ad_group domain%20users
acl autenticados proxy_auth REQUIRED
http_access deny !autenticados
http_access allow grupo_admins
acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"
acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"
acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"
http_access deny extensoes_bloqueadas
http_access allow sites_liberados
http_access deny sites_bloqueados
http_access allow grupo_liberado
redirect_program /usr/bin/squidGuard
redirect_children 20
redirector_bypass on
http_access allow grupo_restrito
acl lan src 192.168.0.0/22
http_access allow lan
http_access deny all
error_directory /usr/share/squid3/errors/en
coredump_dir /var/spool/squid3

Regards,

Márcio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151210/4a59c1fc/attachment.html>

More information about the squid-users mailing list