[squid-users] External ACL Lookup

Craddock, Tommy Tommy.Craddock at bicgraphic.com
Thu Apr 7 14:47:23 UTC 2016 

My replies are interspersed below, in between lines of

_______________________________________________________________________________________________________________________________________


On 6/04/2016 9:16 a.m., Craddock, Tommy wrote:
> Hello,
> 
> Trying to use an external ACL helper to do a lookup of my user in a group in a Windows AD.  I can test from the command line:
> 
> 
> /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D 
> Squid at example.com -W /etc/squid/password -f 
> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some 
> Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com tcraddock at EXAMPLE.COM 
> Full.Access OK
> 

I'm always a little suspicious about whitespace in the LDAP parameters.
Such as you have for "ou=Some Group" in the -f filter.

It does depend on how new vs old your Squid is whether that will be treated as two parameters or one passed to the helper by Squid. The commmad line test will always pass it as one parameter.

If you can rework your ou= parameter to avoid the whitespace it might work better (just a maybe, but you do have Squid 3.1).

_______________________________________________________________________________________________________________________________________________
MY REPLY:


Amos, I moved my group into a different OU, called Some.OU, and it still gives me the same result in the cache.log:


In squid.conf:

external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D Squid at example.com -W /etc/squid/password -f "(&(objectclass=person)(sAMAccountName=$)(memberof=cn=%g,ou=Some.OU,dc=example,dc=com))" -h dc01.example.com


In cache.log:

2016/04/07 09:26:55.123| aclMatchExternal: memberof("tcraddock at example.com Full.Access") = lookup needed
2016/04/07 09:26:55.123| aclMatchExternal: "tcraddock at example.com Full.Access": entry=@0, age=0
2016/04/07 09:26:55.123| aclMatchExternal: "tcraddock at example.com Full.Access": queueing a call.
2016/04/07 09:26:55.123| aclMatchExternal: "tcraddock at example.com Full.Access": return -1.
2016/04/07 09:26:55.123| externalAclLookup: lookup in 'memberof' for 'tcraddock at example.com Full.Access'
2016/04/07 09:26:55.128| externalAclHandleReply: reply="ERR"
2016/04/07 09:26:55.128| external_acl_cache_add: Adding 'tcraddock at example.com Full.Access' = 0
2016/04/07 09:26:55.128| aclMatchExternal: memberof = 0

__________________________________________________________________________________________________________________________________________________________________
> 
> In the file referenced in the ACLs:
> 
> acl RestrictedAccess    external memberof "/etc/squid/restricted_access.txt"
> acl FullAccess          external memberof "/etc/squid/full_access.txt"
> 
> 
> it has:
> 
> cat /etc/squid/full_access.txt
> Full.Access
> 
> cat /etc/squid/restricted_access.txt
> Restricted.Access
> 

Speaking of white spaces. The only reason for using files there is when the group name contains a whitespace character. TO avoid a squid.conf parser bug (Sorry). If those dots are in fact dots and not spaces, then you dont need the extra files.


______________________________________________________________________________________________________________________________________
MY REPLY:

Understood, changed this to:

acl RestrictedAccess    external memberof Restricted.Access
acl FullAccess external memberof Full.Access

_______________________________________________________________________________________________________________________________________
> 
> ### provide basic authentication via ldap for clients not 
> authenticated via kerberos/ntlm auth_param basic program 
> /usr/lib64/squid/squid_ldap_auth -R -b "dc=example,dc=com" -D 
> Squid at EXAMPLE.COM -W /etc/squid/password -f sAMAccountName=%s -h 
> DC01.EXAMPLE.COM auth_param basic children 10 auth_param basic realm 
> Internet Proxy auth_param basic credentialsttl 1 minute
> 


Your NTLM and Negotiate authenticators have a parameter requiring membership of the Ful.Access group as part of the auth process.

That means you should be able to use the auth type to tell what group they are a member of.


_______________________________________________________________________________________________________________________________________

How?  Ive tried to find out how to use that in a ACL but I haven’t been able to find an example. Plus, since Im using negotiate with NTLM and Kerberos, if the client uses Kerberos, does the NTLM group membership parameter even get used?
_______________________________________________________________________________________________________________________________________
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> #http_access deny !memberof
> http_access allow localhost
> http_access allow HEAD
> http_access deny !our_networks
> http_access allow Smartconnect
> http_access deny blocksites all
> http_access allow Approved_Domains
> http_access deny RestrictedHost all
> http_access allow FullAccess auth

NP: FullAccess and auth ACLs require authentication to take place.

What is the point of the Java and WindowsUpdate and bypass_auth ACLs being tested *after* auth has already been required of the client?

Surely the bypasses should be first and the auth related things after.

> http_access allow Java
> http_access allow WindowsUpdate
> http_access allow bypass_auth
> http_access allow bypass_auth-external http_access allow goto_meeting 
> http_access allow our_networks all http_access allow Java our_networks 
> JavaSites http_access allow auth http_access deny !auth http_access 
> deny all
> 

Generally the best pattern to use when designing http_access sequences is this:

+ allow <things that bypass auth>
+ "deny !auth"
+ allow <things that require auth>
+ "deny all"



Amos
_______________________________________________________________________________________________________________________________________

How does this look?

http_access deny !our_networks
http_access allow manager localhost
http_access allow HEAD
http_access allow Smartconnect
http_access allow Java
http_access allow WindowsUpdate
http_access allow bypass_auth
http_access allow bypass_auth-external
http_access allow Approved_Domains
http_access allow goto_meeting
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny blocksites
http_access deny RestrictedHost
http_access deny !auth
http_access allow FullAccess auth
http_access allow auth
http_access deny all

_______________________________________________________________________________________________________________________________________

Thanks!


Tommy Craddock









______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

More information about the squid-users mailing list