[squid-users] External ACL Lookup

Rafael Akchurin rafael.akchurin at diladele.com
Tue Apr 5 21:25:03 UTC 2016

Hello Tommy,

Just my two cents. Try using usePrincipalName, and not sAMAccountName in LDAP filter.
The squid logs indicate the user is authenticated as tcraddock at EXAMPLE.COM<mailto:tcraddock at EXAMPLE.COM> which is *not* in sAMAccountName for sure.

Best regards,
Rafael Akchurin
Diladele B.V.

Please take a look at Web Safety - our ICAP based web filter server for Squid proxy at http://www.diladele.com.

From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Craddock, Tommy
Sent: Tuesday, April 5, 2016 11:16 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] External ACL Lookup


Trying to use an external ACL helper to do a lookup of my user in a group in a Windows AD.  I can test from the command line:

/usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D Squid at example.com<mailto:Squid at example.com> -W /etc/squid/password -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com
tcraddock at EXAMPLE.COM<mailto:tcraddock at EXAMPLE.COM> Full.Access

In the cache.log w/debug set to ALL,3:

2016/04/05 16:54:39.768| aclMatchExternal: memberof user not authenticated (0)
2016/04/05 16:54:39.780| authenticateAuthUserAddIp: user 'tcraddock at EXAMPLE.COM' has been seen at a new IP address (
2016/04/05 16:54:39.780| aclMatchExternal: memberof("tcraddock at EXAMPLE.COM Full.Access<mailto:tcraddock at EXAMPLE.COM%20Full.Access>") = lookup needed
2016/04/05 16:54:39.780| aclMatchExternal: "tcraddock at EXAMPLE.COM Full.Access<mailto:tcraddock at EXAMPLE.COM%20Full.Access>": entry=@0, age=0
2016/04/05 16:54:39.780| aclMatchExternal: "tcraddock at EXAMPLE.COM Full.Access<mailto:tcraddock at EXAMPLE.COM%20Full.Access>": queueing a call.
2016/04/05 16:54:39.780| aclMatchExternal: "tcraddock at EXAMPLE.COM Full.Access<mailto:tcraddock at EXAMPLE.COM%20Full.Access>": return -1.
2016/04/05 16:54:39.780| externalAclLookup: lookup in 'memberof' for 'tcraddock at EXAMPLE.COM Full.Access'
2016/04/05 16:54:39.784| externalAclHandleReply: reply="ERR"
2016/04/05 16:54:39.785| external_acl_cache_add: Adding 'tcraddock at EXAMPLE.COM Full.Access' = 0
2016/04/05 16:54:39.785| aclMatchExternal: memberof = 0

In the file referenced in the ACLs:

acl RestrictedAccess    external memberof "/etc/squid/restricted_access.txt"
acl FullAccess          external memberof "/etc/squid/full_access.txt"

it has:

cat /etc/squid/full_access.txt

cat /etc/squid/restricted_access.txt

Im not sure why the logs show my user is getting ERR as the response to group checking, when I run it from the command line, I get an OK.

Info about my setup:

[root at clwslprox01p squid]# squid -v
Squid Cache: Version 3.1.23
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-http-violations' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23

[root at clwslprox01p squid]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.7 (Santiago)

Using negotiate w/NTLM and Kerberos to do user auth, and trying to use external helpers to do group lookups to a Windows AD.  Windows AD is 2008 and 2012 in my env.


### cache manager
cache_mgr pclan at example.com<mailto:pclan at example.com>

#Define the cache_peer to be used
# cache_peer proxy1.ap.webscanningservice.com parent 3128 0000 default no-query no-digest
# cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest
  cache_peer proxy1.us.webscanningservice.com parent 3128 0000 default no-query no-digest
# cache_peer proxy1.hk.webscanningservice.com parent 3128 0000 default no-query no-digest
# cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE.COM --require-membership-of=EXAMPLE\\Full.Access -kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=EXAMPLE\\Full.Access
auth_param ntlm children 30
auth_param ntlm keep_alive off

### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=example,dc=com" -D Squid at EXAMPLE.COM<mailto:Squid at EXAMPLE.COM> -W /etc/squid/password -f sAMAccountName=%s -h DC01.EXAMPLE.COM
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

### ldap authorisation
external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D Squid at EXAMPLE.COM<mailto:Squid at EXAMPLE.COM> -W /etc/squid/.ldappass.txt -f "(&(objectclass=person)(sAMAccountName=$)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))" -h DC01.EXAMPLE.COM

### acl for proxy auth and ldap authorizations
acl our_networks src
acl INTERNAL dst
acl auth proxy_auth REQUIRED
acl HEAD method HEAD
acl RestrictedAccess    external memberof "/etc/squid/restricted_access.txt"
acl FullAccess          external memberof "/etc/squid/full_access.txt"
acl Approved_Domains dstdomain "/etc/squid/acls/approved.txt"
acl WindowsUpdate dstdomain -i "/etc/squid/acls/windowsupdates.txt"
acl local-servers dstdomain "/etc/squid/acls/localservers.txt"
acl RestrictedHost src "/etc/squid/acls/restrictedhost_ip.txt"
acl bypass_auth src "/etc/squid/acls/bypass_auth_src_ip.txt"
acl bypass_auth-external dstdomain "/etc/squid/acls/bypass_auth_dst_domain.txt"
acl blocksites dstdomain "/etc/squid/acls/block_sites.txt"
acl DIRECT src "/etc/squid/acls/direct_src_ip.txt"
acl DIRECT-external dstdomain "/etc/squid/acls/direct_dst_domains.txt"
acl Smartconnect dstdomain ned.webscanningservice.com
acl Java browser Java/[0-9]
acl JavaSites dstdomain .gotomeeting.com
always_direct allow INTERNAL
always_direct allow local-servers
cache deny INTERNAL
cache deny local-servers

### squid defaults
acl manager proto cache_object
acl localhost src ::1
acl to_localhost dst ::1
acl SSL_ports port 443 563 33808
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
#allow custom ports
acl goto_meeting dst
acl Safe_ports port 8200        # gotomeeting
acl Safe_ports port 31303 33808 # TD Merchant
acl Safe_ports port 8443        # Symantec SEP Manager
acl Safe_ports port 8014               # Symantec SEPM Client
acl SSL_ports port 9443         # pingdevfed
acl SSL_ports port 9444         # pingdevfed
acl SSL_ports port 5443         # pingdev
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access deny !memberof
http_access allow localhost
http_access allow HEAD
http_access deny !our_networks
http_access allow Smartconnect
http_access deny blocksites all
http_access allow Approved_Domains
http_access deny RestrictedHost all
http_access allow FullAccess auth
http_access allow Java
http_access allow WindowsUpdate
http_access allow bypass_auth
http_access allow bypass_auth-external
http_access allow goto_meeting
http_access allow our_networks all
http_access allow Java our_networks JavaSites
http_access allow auth
http_access deny !auth
http_access deny all

deny_info error-blocksites blocksites

#Logs to look like apache
emulate_httpd_log on

#Level of Log debugging
debug_options ALL,1

#Log file locations
cache_log /var/log/squid/cache.log
access_log /var/log/squid/access.log
useragent_log /var/log/squid/useragent.log

#Hostname shown in error pages
visible_hostname proxy01p
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

This electronic message is confidential and may contain legally privileged information intended only for the use of the individual or company named above.
If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communications is strictly prohibited. If you have received this communication in error, please immediately
notify us by telephone, and return the original message to us at the address above

This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160405/23841fee/attachment-0001.html>

More information about the squid-users mailing list