[squid-users] ext_ldap_group_acl not working

alesironi alesironi at yahoo.it
Mon Feb 1 13:50:29 UTC 2016


> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at .squid-cache] Namens
> alesironi
> Verzonden: maandag 1 februari 2016 13:28
> Aan: squid-users at .squid-cache
> Onderwerp: Re: [squid-users] ext_ldap_group_acl not working
> 
> Amos Jeffries wrote
> > On 1/02/2016 11:40 p.m., Alessandro Sironi wrote:
> >>
> >> Hello everyone
> >>
> >> I'm a newbie regarding SQUID and in general on Linux.
> >> I have an Active Directory environment (Windows Server 2012 R2) and a
> >> Linux Debian 8 Jessie configured in the same network.
> >> My goal is to install SQUID on Debian, integrate with Active Directory
> >> using Kerberos and autohise users to use SQUID based on Active
> Directory
> >> asecurity group membership lookup.
> >> Long story short, I followed the instructions here
> >>
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Prox
> y#Configure_Squid
> >>
> >>
> >> My test environment:
> >> Active Directory domain: KIDANEMEHRET.LOCAL
> >> test user: KIDANEMEHRET\test-full
> >> Security groups which is member of: "Internet Users Full", "Internet
> >> Users Standard"
> >>
> >> Test done
> >> After having  properly configured my test client (Windows 7 joined to
> the
> >> domain), logged on with the test user KIDANEMEHRET\test-full,
> configured
> >> internet explorer to use the proxy, what I get everytime I try to
> browse
> >> the internet is a SQUID page telling me Access Denied.
> >>
> >> Quick Analisys
> >> Having a look at access.log and cache.log (see attached), I understand
> >> that user is properly authenticated (I see KIDANEMEHRET\test-full
> >> properly written in each log).
> >> For this reason I suspect the problem is in the authorisation part.
> >>
> >> I try then to run from terminal the program used in SQUID.CONF to check
> >> authorisation (based on the wiki too); note that I'm running with sudo
> >> otherwise with standard use I get no access to password file:
> >>
> >
> > You need to ensure this test is run as the Squid low-privilege user
> > account. Not as root via sudo. If the access to passwords file is also
> > not working for Squids low-priv user account that could be the problem.
> >
> >> sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b
> >> "dc=kidanemehret,dc=local" -D
> 
> > squid@
> 
> >  -W /etc/squid3/ldappass.txt -f
> "(&(objectclass=person)(sAMAccountName=%v)
> > (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" -
> h
> > domcon.kidanemehret.local test-full Internet%20Users%20Full
> >> Do not get any result: waiting for minutes...
> >>
> >
> > Add the -d option for debug output about what the helper is doing during
> > those minutes.
> >
> > Amos
> >
> > _______________________________________________
> > squid-users mailing list
> 
> > squid-users at .squid-cache
> 
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> That's exactly the problem: if I run the test with normal (i.e.: no sudo),
> I
> get
> ERROR: Can Not Read Secret File /etc/squid3/ldappass.txt
> I imagine I have to modify the security on that file, but how? Sorry for
> the
> dumb question....
> 
> 
> 
> 
> 
> 
> --
> View this message in context: http://squid-web-proxy-
> cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working-
> tp4675816p4675822.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> squid-users at .squid-cache
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users at .squid-cache
http://lists.squid-cache.org/listinfo/squid-users



Ok, let me recap my tests

- I followed all suggestions from Luis:

/etc/default/Squid3 (not /etc/default/squid.... ) was already there with the
right content. I renamed to /etc/default/squid* (please confirm if I did
properly)
*chown root:squid /etc/squid3/ldappass.txt (and also PROXY.Keytab)
chmod 440 /etc/squid3/ldappass.txt (and also PROXY.Keytab)
modified KRB5.conf commenting "default_keytab_name =
/etc/squid3/PROXY.keytab"

- I then added -d and run the following commandline

 /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local"
-D [hidden email] -W /etc/squid3/ldappass.txt -f
"(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%g,ou=Service
Accounts,ou=USR,dc=kidanemehret,dc=local))" -d -h domcon.kidanemehret.local
test-full Internet%20Users%20Full  

Get the following error: Can not Read Secret File /etc/squid3/ldappass.txt

- run the following (basically putting password in clear bypassing the
password file)

/usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local" -D
[hidden email] -w mypassword -f "(&(objectclass=person)(sAMAccountName=%v)
(memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" 'd -h
domcon.kidanemehret.local -d test-full Internet%20Users%20Full  

get the following error: 
ext_ldap_group_acl.cc(478): pid=1778 :Internet%20Users%20Full: Invalid
Request: NO Username given
ERR Invalid Request. No Username







--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working-tp4675816p4675824.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list