[squid-users] ext_ldap_group_acl not working

L.P.H. van Belle belle at bazuin.nl
Mon Feb 1 14:30:17 UTC 2016 

Just a question..

You are using debian,  i did say..  

chmod root:proxy ( proxy is the default squid user in debian ) 

i see..
chown root:squid /etc/squid3/ldappass.txt

try again with 
chown root:proxy /etc/squid3/ldappass.txt

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> alesironi
> Verzonden: maandag 1 februari 2016 14:50
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] ext_ldap_group_acl not working
> 
> > -----Oorspronkelijk bericht-----
> > Van: squid-users [mailto:squid-users-bounces at .squid-cache] Namens
> > alesironi
> > Verzonden: maandag 1 februari 2016 13:28
> > Aan: squid-users at .squid-cache
> > Onderwerp: Re: [squid-users] ext_ldap_group_acl not working
> >
> > Amos Jeffries wrote
> > > On 1/02/2016 11:40 p.m., Alessandro Sironi wrote:
> > >>
> > >> Hello everyone
> > >>
> > >> I'm a newbie regarding SQUID and in general on Linux.
> > >> I have an Active Directory environment (Windows Server 2012 R2) and a
> > >> Linux Debian 8 Jessie configured in the same network.
> > >> My goal is to install SQUID on Debian, integrate with Active
> Directory
> > >> using Kerberos and autohise users to use SQUID based on Active
> > Directory
> > >> asecurity group membership lookup.
> > >> Long story short, I followed the instructions here
> > >>
> >
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Prox
> > y#Configure_Squid
> > >>
> > >>
> > >> My test environment:
> > >> Active Directory domain: KIDANEMEHRET.LOCAL
> > >> test user: KIDANEMEHRET\test-full
> > >> Security groups which is member of: "Internet Users Full", "Internet
> > >> Users Standard"
> > >>
> > >> Test done
> > >> After having  properly configured my test client (Windows 7 joined to
> > the
> > >> domain), logged on with the test user KIDANEMEHRET\test-full,
> > configured
> > >> internet explorer to use the proxy, what I get everytime I try to
> > browse
> > >> the internet is a SQUID page telling me Access Denied.
> > >>
> > >> Quick Analisys
> > >> Having a look at access.log and cache.log (see attached), I
> understand
> > >> that user is properly authenticated (I see KIDANEMEHRET\test-full
> > >> properly written in each log).
> > >> For this reason I suspect the problem is in the authorisation part.
> > >>
> > >> I try then to run from terminal the program used in SQUID.CONF to
> check
> > >> authorisation (based on the wiki too); note that I'm running with
> sudo
> > >> otherwise with standard use I get no access to password file:
> > >>
> > >
> > > You need to ensure this test is run as the Squid low-privilege user
> > > account. Not as root via sudo. If the access to passwords file is also
> > > not working for Squids low-priv user account that could be the
> problem.
> > >
> > >> sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b
> > >> "dc=kidanemehret,dc=local" -D
> >
> > > squid@
> >
> > >  -W /etc/squid3/ldappass.txt -f
> > "(&(objectclass=person)(sAMAccountName=%v)
> > > (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))"
> -
> > h
> > > domcon.kidanemehret.local test-full Internet%20Users%20Full
> > >> Do not get any result: waiting for minutes...
> > >>
> > >
> > > Add the -d option for debug output about what the helper is doing
> during
> > > those minutes.
> > >
> > > Amos
> > >
> > > _______________________________________________
> > > squid-users mailing list
> >
> > > squid-users at .squid-cache
> >
> > > http://lists.squid-cache.org/listinfo/squid-users
> >
> > That's exactly the problem: if I run the test with normal (i.e.: no
> sudo),
> > I
> > get
> > ERROR: Can Not Read Secret File /etc/squid3/ldappass.txt
> > I imagine I have to modify the security on that file, but how? Sorry for
> > the
> > dumb question....
> >
> >
> >
> >
> >
> >
> > --
> > View this message in context: http://squid-web-proxy-
> > cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working-
> > tp4675816p4675822.html
> > Sent from the Squid - Users mailing list archive at Nabble.com.
> > _______________________________________________
> > squid-users mailing list
> > squid-users at .squid-cache
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________
> squid-users mailing list
> squid-users at .squid-cache
> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> 
> Ok, let me recap my tests
> 
> - I followed all suggestions from Luis:
> 
> /etc/default/Squid3 (not /etc/default/squid.... ) was already there with
> the
> right content. I renamed to /etc/default/squid* (please confirm if I did
> properly)
> *chown root:squid /etc/squid3/ldappass.txt (and also PROXY.Keytab)
> chmod 440 /etc/squid3/ldappass.txt (and also PROXY.Keytab)
> modified KRB5.conf commenting "default_keytab_name =
> /etc/squid3/PROXY.keytab"
> 
> - I then added -d and run the following commandline
> 
>  /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local"
> -D [hidden email] -W /etc/squid3/ldappass.txt -f
> "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%g,ou=Service
> Accounts,ou=USR,dc=kidanemehret,dc=local))" -d -h
> domcon.kidanemehret.local
> test-full Internet%20Users%20Full
> 
> Get the following error: Can not Read Secret File /etc/squid3/ldappass.txt
> 
> - run the following (basically putting password in clear bypassing the
> password file)
> 
> /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local"
> -D
> [hidden email] -w mypassword -f "(&(objectclass=person)(sAMAccountName=%v)
> (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" 'd
> -h
> domcon.kidanemehret.local -d test-full Internet%20Users%20Full
> 
> get the following error:
> ext_ldap_group_acl.cc(478): pid=1778 :Internet%20Users%20Full: Invalid
> Request: NO Username given
> ERR Invalid Request. No Username
> 
> 
> 
> 
> 
> 
> 
> --
> View this message in context: http://squid-web-proxy-
> cache.1019090.n4.nabble.com/ext-ldap-group-acl-not-working-
> tp4675816p4675824.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list